Network utility executed with suspicious URI

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1105-ingress-tool-transfer

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect HTTP requests with patterns that are unusual for a cloud workload.

Strategy

This rule generates a signal when a network utility such as curl or wget makes a request for a URI with an unusual pattern. The patterns used in this rule appeared in previous compromises of cloud resources. For example, it is unusual for a production workload to download a file with a .jpg extension. Threat actors have used this extension to evade detection.

Triage and response

  1. Determine the URL being requested using the process tree.
  2. Identify other compromised systems by searching logs for requests to this URI or domain.
  3. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack). Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.27 or greater.