Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder

Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Thu Aug 30Updated Wed Dec 10e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic2 selectors
detection:
    selection_paths:
        Image|contains:
            - ':\$Recycle.bin'
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Fonts\'
            - ':\Windows\IME\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - '\AppData\Temp\'
            - '\config\systemprofile\'
            - '\Windows\addins\'
    selection_domains:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.co.nz'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'pixeldrain.com'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: all of selection_*
False Positives

Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.

References
1
Resolving title…
twitter.com
2
Resolving title…
twitter.com
3
Resolving title…
symantec-enterprise-blogs.security.com
4
Resolving title…
cisa.gov
5
Resolving title…
github.com
MITRE ATT&CK
Related Rules
Similar

635dbb88-67b3-4b41-9ea5-a3af2dd88153

Rule not found
Rule Metadata
Rule ID
e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
Status
test
Level
high
Type
Detection
Created
Thu Aug 30
Modified
Wed Dec 10
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml
Raw Tags
attack.command-and-controlattack.t1105
View on GitHub