Unusual File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
Sigma rule (View on GitHub)
1title: Unusual File Download From File Sharing Websites - File Stream
2id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
3related:
4 - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
5 type: similar
6status: experimental
7description: Detects the download of suspicious file type from a well-known file and paste sharing domain
8references:
9 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
10 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
11 - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
12author: Florian Roth (Nextron Systems)
13date: 2022-08-24
14modified: 2024-10-21
15tags:
16 - attack.defense-evasion
17 - attack.s0139
18 - attack.t1564.004
19logsource:
20 product: windows
21 category: create_stream_hash
22detection:
23 selection_domain:
24 Contents|contains:
25 - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
26 - 'anonfiles.com'
27 - 'cdn.discordapp.com'
28 - 'ddns.net'
29 - 'dl.dropboxusercontent.com'
30 - 'ghostbin.co'
31 - 'glitch.me'
32 - 'gofile.io'
33 - 'hastebin.com'
34 - 'mediafire.com'
35 - 'mega.nz'
36 - 'onrender.com'
37 - 'pages.dev'
38 - 'paste.ee'
39 - 'pastebin.com'
40 - 'pastebin.pl'
41 - 'pastetext.net'
42 - 'pixeldrain.com'
43 - 'privatlab.com'
44 - 'privatlab.net'
45 - 'send.exploit.in'
46 - 'sendspace.com'
47 - 'storage.googleapis.com'
48 - 'storjshare.io'
49 - 'supabase.co'
50 - 'temp.sh'
51 - 'transfer.sh'
52 - 'trycloudflare.com'
53 - 'ufile.io'
54 - 'w3spaces.com'
55 - 'workers.dev'
56 selection_extension:
57 TargetFilename|contains:
58 - '.bat:Zone'
59 - '.cmd:Zone'
60 - '.ps1:Zone'
61 condition: all of selection_*
62falsepositives:
63 - Unknown
64level: medium
References
-
Sysmon Event ID 15 SourceSysmon 15: FileCreateStreamHash This is an event from Sysmon. On this page Description of this event Field level details Examples This event logs when a named file stream i...
Read More -
Summary Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware...
Read More -
A distinct subset of Mint Sandstorm targets high-profile individuals working on Middle Eastern affairs at universities and research orgs.
Read More
Related rules
- Suspicious File Download From File Sharing Websites - File Stream
- Hidden Executable In NTFS Alternate Data Stream
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- Hidden Flag Set On File/Directory Via Chflags - MacOS