Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Sigma rule (View on GitHub)
1title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
2id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
3related:
4 - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
5 type: obsoletes
6status: test
7description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
8references:
9 - https://twitter.com/M_haggis/status/900741347035889665
10 - https://twitter.com/M_haggis/status/1032799638213066752
11 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
12 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
13 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
14author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
15date: 2018/08/30
16modified: 2024/05/31
17tags:
18 - attack.command_and_control
19 - attack.t1105
20logsource:
21 category: network_connection
22 product: windows
23detection:
24 selection_paths:
25 Image|contains:
26 - ':\$Recycle.bin'
27 - ':\Perflogs\'
28 - ':\Temp\'
29 - ':\Users\Default\'
30 - ':\Users\Public\'
31 - ':\Windows\Fonts\'
32 - ':\Windows\IME\'
33 - ':\Windows\System32\Tasks\'
34 - ':\Windows\Tasks\'
35 - ':\Windows\Temp\'
36 - '\AppData\Temp\'
37 - '\config\systemprofile\'
38 - '\Windows\addins\'
39 selection_domains:
40 Initiated: 'true'
41 DestinationHostname|endswith:
42 - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
43 - 'anonfiles.com'
44 - 'cdn.discordapp.com'
45 - 'cdn.discordapp.com/attachments/'
46 - 'ddns.net'
47 - 'dl.dropboxusercontent.com'
48 - 'ghostbin.co'
49 - 'glitch.me'
50 - 'gofile.io'
51 - 'hastebin.com'
52 - 'mediafire.com'
53 - 'mega.co.nz'
54 - 'mega.nz'
55 - 'onrender.com'
56 - 'paste.ee'
57 - 'pastebin.com'
58 - 'pastebin.pl'
59 - 'pastetext.net'
60 - 'privatlab.com'
61 - 'privatlab.net'
62 - 'send.exploit.in'
63 - 'sendspace.com'
64 - 'storage.googleapis.com'
65 - 'storjshare.io'
66 - 'supabase.co'
67 - 'temp.sh'
68 - 'transfer.sh'
69 - 'ufile.io'
70 condition: all of selection_*
71falsepositives:
72 - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
73level: high
References
-
Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.
Read More -
Summary Actions to Take Today to Mitigate Cyber Threats from Ransomware: • Prioritize remediating known exploited vulnerabilities. • Enable and enforce multifactor authentication with strong passwo...
Read More -
Related rules
- Local Network Connection Initiated By Script Interpreter
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- Outbound Network Connection Initiated By Script Interpreter
- Potential Download/Upload Activity Using Type Command
- Download File To Potentially Suspicious Directory Via Wget