Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE

Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Feb 23Updated Tue Dec 10b6e04788-29e1-4557-bb14-77f761848ab8windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_websites:
        CommandLine|contains:
            # Note: You might want to baseline the github domain before including it
            # - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea).
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            # - 'github.com'  See note above
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'pixeldrain.com'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    selection_download:
        CommandLine|contains:
            - '.DownloadString('
            - '.DownloadFile('
            - 'Invoke-WebRequest '
            - 'iwr '
            - 'wget '
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
labs.withsecure.com
2
Resolving title…
github.com
3
Resolving title…
microsoft.com
4
Resolving title…
huntress.com
MITRE ATT&CK
Rule Metadata
Rule ID
b6e04788-29e1-4557-bb14-77f761848ab8
Status
test
Level
high
Type
Detection
Created
Fri Feb 23
Modified
Tue Dec 10
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml
Raw Tags
attack.execution
View on GitHub