Microsoft Binary Suspicious Communication Endpoint
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Sigma rule (View on GitHub)
1title: Microsoft Binary Suspicious Communication Endpoint
2id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
3related:
4 - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
5 type: obsoletes
6status: test
7description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
8references:
9 - https://twitter.com/M_haggis/status/900741347035889665
10 - https://twitter.com/M_haggis/status/1032799638213066752
11 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
12 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
13 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
14author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
15date: 2018/08/30
16modified: 2024/02/09
17tags:
18 - attack.command_and_control
19 - attack.t1105
20logsource:
21 category: network_connection
22 product: windows
23detection:
24 selection_paths:
25 Image|contains:
26 - ':\PerfLogs\'
27 - ':\Temp\'
28 - ':\Users\Public\'
29 - ':\Windows\System32\Tasks\'
30 - ':\Windows\Tasks\'
31 - ':\Windows\Temp\'
32 - '\AppData\Temp\'
33 selection_domains:
34 Initiated: 'true'
35 DestinationHostname|endswith:
36 - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
37 - 'anonfiles.com'
38 - 'cdn.discordapp.com'
39 - 'cdn.discordapp.com/attachments/'
40 - 'ddns.net'
41 - 'dl.dropboxusercontent.com'
42 - 'ghostbin.co'
43 - 'glitch.me'
44 - 'gofile.io'
45 - 'hastebin.com'
46 - 'mediafire.com'
47 - 'mega.co.nz'
48 - 'mega.nz'
49 - 'onrender.com'
50 - 'paste.ee'
51 - 'pastebin.com'
52 - 'pastebin.pl'
53 - 'pastetext.net'
54 - 'privatlab.com'
55 - 'privatlab.net'
56 - 'send.exploit.in'
57 - 'sendspace.com'
58 - 'storage.googleapis.com'
59 - 'storjshare.io'
60 - 'supabase.co'
61 - 'temp.sh'
62 - 'transfer.sh'
63 - 'ufile.io'
64 condition: all of selection_*
65falsepositives:
66 - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
67level: high
References
Related rules
- Suspicious Desktopimgdownldr Target File
- Suspicious Invoke-WebRequest Execution With DirectIP
- Suspicious Invoke-WebRequest Execution
- Operator Bring Your Own Tools
- Connection Initiated Via Certutil.EXE