Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE

Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe

Sigma rule (View on GitHub)

 1title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
 2id: b6e04788-29e1-4557-bb14-77f761848ab8
 3related:
 4    - id: 8b48ad89-10d8-4382-a546-50588c410f0d
 5      type: similar
 6    - id: d635249d-86b5-4dad-a8c7-d7272b788586
 7      type: similar
 8    - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
 9      type: similar
10    - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
11      type: similar
12    - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
13      type: similar
14    - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
15      type: similar
16    - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
17      type: similar
18    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
19      type: similar
20    - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
21      type: similar
22    - id: a0d7e4d2-bede-4141-8896-bc6e237e977c
23      type: similar
24    - id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
25      type: similar
26status: test
27description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
28references:
29    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
30    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
31    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
32    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
33author: Nasreddine Bencherchali (Nextron Systems)
34date: 2024-02-23
35modified: 2026-03-29
36tags:
37    - attack.execution
38logsource:
39    category: process_creation
40    product: windows
41detection:
42    selection_img:
43        - Image|endswith:
44              - '\powershell.exe'
45              - '\pwsh.exe'
46        - OriginalFileName:
47              - 'PowerShell.EXE'
48              - 'pwsh.dll'
49    selection_websites:
50        CommandLine|contains:
51            # Note: You might want to baseline the github domain before including it
52            # - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea).
53            - '0x0.st'
54            - 'anonfiles.com'
55            - 'bashupload.com'
56            - 'cdn.discordapp.com'
57            - 'chunk.io'
58            - 'ddns.net'
59            - 'dl.dropboxusercontent.com'
60            - 'ghostbin.co'
61            # - 'github.com'  See note above
62            - 'glitch.me'
63            - 'gofile.io'
64            - 'hastebin.com'
65            - 'mediafire.com'
66            - 'mega.nz'
67            - 'onrender.com'
68            - 'pages.dev'
69            - 'paste.ee'
70            - 'pastebin.com'
71            - 'pastebin.pl'
72            - 'pastetext.net'
73            - 'pixeldrain.com'
74            - 'privatlab.com'
75            - 'privatlab.net'
76            - 'send.exploit.in'
77            - 'sendspace.com'
78            - 'storage.googleapis.com'
79            - 'storjshare.io'
80            - 'supabase.co'
81            - 'temp.sh'
82            - 'transfer.sh'
83            - 'trycloudflare.com'
84            - 'ufile.io'
85            - 'w3spaces.com'
86            - 'workers.dev'
87            - 'x0.at'
88    selection_download:
89        CommandLine|contains:
90            - '.DownloadString('
91            - '.DownloadFile('
92            - 'Invoke-WebRequest '
93            - 'iwr '
94            - 'wget '
95    condition: all of selection_*
96falsepositives:
97    - Unknown
98level: high

References

Related rules

to-top