Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Sigma rule (View on GitHub)
1title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
2id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
3related:
4 - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
5 type: obsolete
6status: test
7description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
8references:
9 - https://twitter.com/M_haggis/status/900741347035889665
10 - https://twitter.com/M_haggis/status/1032799638213066752
11 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
12 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
13 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
14author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
15date: 2018-08-30
16modified: 2024-10-21
17tags:
18 - attack.command-and-control
19 - attack.t1105
20logsource:
21 category: network_connection
22 product: windows
23detection:
24 selection_paths:
25 Image|contains:
26 - ':\$Recycle.bin'
27 - ':\Perflogs\'
28 - ':\Temp\'
29 - ':\Users\Default\'
30 - ':\Users\Public\'
31 - ':\Windows\Fonts\'
32 - ':\Windows\IME\'
33 - ':\Windows\System32\Tasks\'
34 - ':\Windows\Tasks\'
35 - ':\Windows\Temp\'
36 - '\AppData\Temp\'
37 - '\config\systemprofile\'
38 - '\Windows\addins\'
39 selection_domains:
40 Initiated: 'true'
41 DestinationHostname|endswith:
42 - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
43 - 'anonfiles.com'
44 - 'cdn.discordapp.com'
45 - 'ddns.net'
46 - 'dl.dropboxusercontent.com'
47 - 'ghostbin.co'
48 - 'glitch.me'
49 - 'gofile.io'
50 - 'hastebin.com'
51 - 'mediafire.com'
52 - 'mega.co.nz'
53 - 'mega.nz'
54 - 'onrender.com'
55 - 'pages.dev'
56 - 'paste.ee'
57 - 'pastebin.com'
58 - 'pastebin.pl'
59 - 'pastetext.net'
60 - 'pixeldrain.com'
61 - 'privatlab.com'
62 - 'privatlab.net'
63 - 'send.exploit.in'
64 - 'sendspace.com'
65 - 'storage.googleapis.com'
66 - 'storjshare.io'
67 - 'supabase.co'
68 - 'temp.sh'
69 - 'transfer.sh'
70 - 'trycloudflare.com'
71 - 'ufile.io'
72 - 'w3spaces.com'
73 - 'workers.dev'
74 condition: all of selection_*
75falsepositives:
76 - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
77level: high
References
Related rules
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- File Download From IP Based URL Via CertOC.EXE
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE