EXPLORE
← Back to Explore
sigmahighHunting

Suspicious File Download From File Sharing Websites - File Stream

Detects the download of suspicious file type from a well-known file and paste sharing domain

MITRE ATT&CK

Detection Query

selection_domain:
  Contents|contains:
    - .githubusercontent.com
    - 0x0.st
    - anonfiles.com
    - bashupload.com
    - cdn.discordapp.com
    - chunk.io
    - ddns.net
    - dl.dropboxusercontent.com
    - ghostbin.co
    - github.com
    - glitch.me
    - gofile.io
    - hastebin.com
    - mediafire.com
    - mega.nz
    - onrender.com
    - pages.dev
    - paste.ee
    - pastebin.com
    - pastebin.pl
    - pastetext.net
    - pixeldrain.com
    - privatlab.com
    - privatlab.net
    - send.exploit.in
    - sendspace.com
    - storage.googleapis.com
    - storjshare.io
    - supabase.co
    - temp.sh
    - transfer.sh
    - trycloudflare.com
    - ufile.io
    - w3spaces.com
    - workers.dev
    - x0.at
selection_extension:
  TargetFilename|contains:
    - .cpl:Zone
    - .dll:Zone
    - .exe:Zone
    - .hta:Zone
    - .lnk:Zone
    - .one:Zone
    - .vbe:Zone
    - .vbs:Zone
    - .xll:Zone
condition: all of selection_*

Author

Florian Roth (Nextron Systems)

Created

2022-08-24

Data Sources

windowscreate_stream_hash

Platforms

windows

Tags

attack.stealthattack.s0139attack.t1564.004
Raw Content
title: Suspicious File Download From File Sharing Websites -  File Stream
id: 52182dfb-afb7-41db-b4bc-5336cb29b464
related:
    - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
      type: similar
    - id: 8b48ad89-10d8-4382-a546-50588c410f0d
      type: similar
    - id: d635249d-86b5-4dad-a8c7-d7272b788586
      type: similar
    - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
      type: similar
    - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
      type: similar
    - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
      type: similar
    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
      type: similar
    - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
      type: similar
    - id: b6e04788-29e1-4557-bb14-77f761848ab8
      type: similar
    - id: a0d7e4d2-bede-4141-8896-bc6e237e977c
      type: similar
    - id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
      type: similar
status: test
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
    - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2026-03-29
tags:
    - attack.stealth
    - attack.s0139
    - attack.t1564.004
logsource:
    product: windows
    category: create_stream_hash
detection:
    selection_domain:
        Contents|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - '0x0.st'
            - 'anonfiles.com'
            - 'bashupload.com'
            - 'cdn.discordapp.com'
            - 'chunk.io'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'pixeldrain.com'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
            - 'x0.at'
    selection_extension:
        TargetFilename|contains:
            - '.cpl:Zone'
            - '.dll:Zone'
            - '.exe:Zone'
            - '.hta:Zone'
            - '.lnk:Zone'
            - '.one:Zone'
            - '.vbe:Zone'
            - '.vbs:Zone'
            - '.xll:Zone'
    condition: all of selection_*
falsepositives:
    - Some false positives might occur with binaries download via Github
level: high