← Back to Explore
sigmahighHunting
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Detection Query
selection_paths:
Image|contains:
- :\$Recycle.bin
- :\Perflogs\
- :\Temp\
- :\Users\Default\
- :\Users\Public\
- :\Windows\Fonts\
- :\Windows\IME\
- :\Windows\System32\Tasks\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Temp\
- \config\systemprofile\
- \Windows\addins\
selection_domains:
Initiated: "true"
DestinationHostname|endswith:
- .githubusercontent.com
- 0x0.st
- anonfiles.com
- bashupload.com
- cdn.discordapp.com
- chunk.io
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- github.com
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.co.nz
- mega.nz
- onrender.com
- pages.dev
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- pixeldrain.com
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- trycloudflare.com
- ufile.io
- w3spaces.com
- workers.dev
- x0.at
condition: all of selection_*
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2018-08-30
Data Sources
windowsNetwork Connection Events
Platforms
windows
References
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
Tags
attack.command-and-controlattack.t1105
Raw Content
title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
related:
- id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
type: obsolete
- id: 8b48ad89-10d8-4382-a546-50588c410f0d
type: similar
- id: d635249d-86b5-4dad-a8c7-d7272b788586
type: similar
- id: 52182dfb-afb7-41db-b4bc-5336cb29b464
type: similar
- id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
type: similar
- id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
type: similar
- id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
type: similar
- id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
type: similar
- id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
type: similar
- id: b6e04788-29e1-4557-bb14-77f761848ab8
type: similar
- id: a0d7e4d2-bede-4141-8896-bc6e237e977c
type: similar
- id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
type: similar
status: test
description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-30
modified: 2026-03-29
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection_paths:
Image|contains:
- ':\$Recycle.bin'
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Fonts\'
- ':\Windows\IME\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Temp\'
- '\config\systemprofile\'
- '\Windows\addins\'
selection_domains:
Initiated: 'true'
DestinationHostname|endswith:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- '0x0.st'
- 'anonfiles.com'
- 'bashupload.com'
- 'cdn.discordapp.com'
- 'chunk.io'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.co.nz'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
- 'x0.at'
condition: all of selection_*
falsepositives:
- Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
level: high