EXPLORE
← Back to Explore
sigmahighHunting

Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder

Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.

MITRE ATT&CK

command-and-control

Detection Query

selection_paths:
  Image|contains:
    - :\$Recycle.bin
    - :\Perflogs\
    - :\Temp\
    - :\Users\Default\
    - :\Users\Public\
    - :\Windows\Fonts\
    - :\Windows\IME\
    - :\Windows\System32\Tasks\
    - :\Windows\Tasks\
    - :\Windows\Temp\
    - \AppData\Temp\
    - \config\systemprofile\
    - \Windows\addins\
selection_domains:
  Initiated: "true"
  DestinationHostname|endswith:
    - .githubusercontent.com
    - 0x0.st
    - anonfiles.com
    - bashupload.com
    - cdn.discordapp.com
    - chunk.io
    - ddns.net
    - dl.dropboxusercontent.com
    - ghostbin.co
    - github.com
    - glitch.me
    - gofile.io
    - hastebin.com
    - mediafire.com
    - mega.co.nz
    - mega.nz
    - onrender.com
    - pages.dev
    - paste.ee
    - pastebin.com
    - pastebin.pl
    - pastetext.net
    - pixeldrain.com
    - privatlab.com
    - privatlab.net
    - send.exploit.in
    - sendspace.com
    - storage.googleapis.com
    - storjshare.io
    - supabase.co
    - temp.sh
    - transfer.sh
    - trycloudflare.com
    - ufile.io
    - w3spaces.com
    - workers.dev
    - x0.at
condition: all of selection_*

Author

Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Created

2018-08-30

Data Sources

windowsNetwork Connection Events

Platforms

windows

Tags

attack.command-and-controlattack.t1105
Raw Content
title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
related:
    - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
      type: obsolete
    - id: 8b48ad89-10d8-4382-a546-50588c410f0d
      type: similar
    - id: d635249d-86b5-4dad-a8c7-d7272b788586
      type: similar
    - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
      type: similar
    - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
      type: similar
    - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
      type: similar
    - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
      type: similar
    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
      type: similar
    - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
      type: similar
    - id: b6e04788-29e1-4557-bb14-77f761848ab8
      type: similar
    - id: a0d7e4d2-bede-4141-8896-bc6e237e977c
      type: similar
    - id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
      type: similar
status: test
description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
references:
    - https://twitter.com/M_haggis/status/900741347035889665
    - https://twitter.com/M_haggis/status/1032799638213066752
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-30
modified: 2026-03-29
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection_paths:
        Image|contains:
            - ':\$Recycle.bin'
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Fonts\'
            - ':\Windows\IME\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - '\AppData\Temp\'
            - '\config\systemprofile\'
            - '\Windows\addins\'
    selection_domains:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - '0x0.st'
            - 'anonfiles.com'
            - 'bashupload.com'
            - 'cdn.discordapp.com'
            - 'chunk.io'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.co.nz'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'pixeldrain.com'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
            - 'x0.at'
    condition: all of selection_*
falsepositives:
    - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
level: high