← Back to Explore
sigmahighHunting
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Detection Query
selection_paths:
Image|contains:
- :\$Recycle.bin
- :\Perflogs\
- :\Temp\
- :\Users\Default\
- :\Users\Public\
- :\Windows\Fonts\
- :\Windows\IME\
- :\Windows\System32\Tasks\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Temp\
- \config\systemprofile\
- \Windows\addins\
selection_domains:
Initiated: "true"
DestinationHostname|endswith:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- github.com
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.co.nz
- mega.nz
- onrender.com
- pages.dev
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- pixeldrain.com
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- trycloudflare.com
- ufile.io
- w3spaces.com
- workers.dev
condition: all of selection_*
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2018-08-30
Data Sources
windowsNetwork Connection Events
Platforms
windows
References
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
Tags
attack.command-and-controlattack.t1105
Raw Content
title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
related:
- id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
type: obsolete
status: test
description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-30
modified: 2025-12-10
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection_paths:
Image|contains:
- ':\$Recycle.bin'
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Fonts\'
- ':\Windows\IME\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Temp\'
- '\config\systemprofile\'
- '\Windows\addins\'
selection_domains:
Initiated: 'true'
DestinationHostname|endswith:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.co.nz'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
falsepositives:
- Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
level: high