Microsoft Binary Suspicious Communication Endpoint

Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.

Sigma rule (View on GitHub)

 1title: Microsoft Binary Suspicious Communication Endpoint
 2id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
 3related:
 4    - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
 5      type: obsoletes
 6status: test
 7description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
 8references:
 9    - https://twitter.com/M_haggis/status/900741347035889665
10    - https://twitter.com/M_haggis/status/1032799638213066752
11    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
12    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
13    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
14author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
15date: 2018/08/30
16modified: 2024/02/09
17tags:
18    - attack.lateral_movement
19    - attack.t1105
20logsource:
21    category: network_connection
22    product: windows
23detection:
24    selection_paths:
25        Image|contains:
26            - ':\PerfLogs\'
27            - ':\Temp\'
28            - ':\Users\Public\'
29            - ':\Windows\System32\Tasks\'
30            - ':\Windows\Tasks\'
31            - ':\Windows\Temp\'
32            - '\AppData\Temp\'
33    selection_domains:
34        Initiated: 'true'
35        DestinationHostname|endswith:
36            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
37            - 'anonfiles.com'
38            - 'cdn.discordapp.com'
39            - 'cdn.discordapp.com/attachments/'
40            - 'ddns.net'
41            - 'dl.dropboxusercontent.com'
42            - 'ghostbin.co'
43            - 'glitch.me'
44            - 'gofile.io'
45            - 'hastebin.com'
46            - 'mediafire.com'
47            - 'mega.co.nz'
48            - 'mega.nz'
49            - 'onrender.com'
50            - 'paste.ee'
51            - 'pastebin.com'
52            - 'pastebin.pl'
53            - 'pastetext.net'
54            - 'privatlab.com'
55            - 'privatlab.net'
56            - 'send.exploit.in'
57            - 'sendspace.com'
58            - 'storage.googleapis.com'
59            - 'storjshare.io'
60            - 'supabase.co'
61            - 'temp.sh'
62            - 'transfer.sh'
63            - 'ufile.io'
64    condition: all of selection_*
65falsepositives:
66    - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
67level: high

References

Related rules

to-top