← Back to Explore
sigmahighHunting
Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
Detection Query
selection_domain:
Contents|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- github.com
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- pages.dev
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- pixeldrain.com
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- trycloudflare.com
- ufile.io
- w3spaces.com
- workers.dev
selection_extension:
TargetFilename|contains:
- .cpl:Zone
- .dll:Zone
- .exe:Zone
- .hta:Zone
- .lnk:Zone
- .one:Zone
- .vbe:Zone
- .vbs:Zone
- .xll:Zone
condition: all of selection_*
Author
Florian Roth (Nextron Systems)
Created
2022-08-24
Data Sources
windowscreate_stream_hash
Platforms
windows
References
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
Tags
attack.defense-evasionattack.s0139attack.t1564.004
Raw Content
title: Suspicious File Download From File Sharing Websites - File Stream
id: 52182dfb-afb7-41db-b4bc-5336cb29b464
related:
- id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
type: similar
status: test
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2025-12-10
tags:
- attack.defense-evasion
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection_domain:
Contents|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_extension:
TargetFilename|contains:
- '.cpl:Zone'
- '.dll:Zone'
- '.exe:Zone'
- '.hta:Zone'
- '.lnk:Zone'
- '.one:Zone'
- '.vbe:Zone'
- '.vbs:Zone'
- '.xll:Zone'
condition: all of selection_*
falsepositives:
- Some false positives might occur with binaries download via Github
level: high