Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1105` Ingress Tool Transfer

Event coverage

Provider	Event ID	Title
Sysmon	3	Network connection

Stages and Predicates

Stage 1: `all of selection_paths`

or:
Image|contains: ':\$Recycle.bin'
Image|contains: ':\Perflogs\'
Image|contains: ':\Temp\'
Image|contains: ':\Users\Default\'
Image|contains: ':\Users\Public\'
Image|contains: ':\Windows\Fonts\'
Image|contains: ':\Windows\IME\'
Image|contains: ':\Windows\System32\Tasks\'
Image|contains: ':\Windows\Tasks\'
Image|contains: ':\Windows\Temp\'
Image|contains: '\AppData\Temp\'
Image|contains: '\Windows\addins\'
Image|contains: '\config\systemprofile\'

Stage 2: `all of selection_domains`

or:
DestinationHostname|endswith: .githubusercontent.com
DestinationHostname|endswith: anonfiles.com
DestinationHostname|endswith: cdn.discordapp.com
DestinationHostname|endswith: ddns.net
DestinationHostname|endswith: dl.dropboxusercontent.com
DestinationHostname|endswith: ghostbin.co
DestinationHostname|endswith: github.com
DestinationHostname|endswith: glitch.me
DestinationHostname|endswith: gofile.io
DestinationHostname|endswith: hastebin.com
DestinationHostname|endswith: mediafire.com
DestinationHostname|endswith: mega.co.nz
DestinationHostname|endswith: mega.nz
DestinationHostname|endswith: onrender.com
DestinationHostname|endswith: pages.dev
DestinationHostname|endswith: paste.ee
DestinationHostname|endswith: pastebin.com
DestinationHostname|endswith: pastebin.pl
DestinationHostname|endswith: pastetext.net
DestinationHostname|endswith: pixeldrain.com
DestinationHostname|endswith: privatlab.com
DestinationHostname|endswith: privatlab.net
DestinationHostname|endswith: send.exploit.in
DestinationHostname|endswith: sendspace.com
DestinationHostname|endswith: storage.googleapis.com
DestinationHostname|endswith: storjshare.io
DestinationHostname|endswith: supabase.co
DestinationHostname|endswith: temp.sh
DestinationHostname|endswith: transfer.sh
DestinationHostname|endswith: trycloudflare.com
DestinationHostname|endswith: ufile.io
DestinationHostname|endswith: w3spaces.com
DestinationHostname|endswith: workers.dev
Initiated: true

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`DestinationHostname`	ends_with	`.githubusercontent.com` corpus 2 (sigma 2) `anonfiles.com` corpus 3 (sigma 3) `cdn.discordapp.com` corpus 3 (sigma 3) `ddns.net` corpus 3 (sigma 3) `dl.dropboxusercontent.com` corpus 2 (sigma 2) `ghostbin.co` corpus 2 (sigma 2) `github.com` corpus 2 (sigma 2) `glitch.me` corpus 2 (sigma 2) `gofile.io` corpus 3 (sigma 3) `hastebin.com` corpus 3 (sigma 3) `mediafire.com` corpus 3 (sigma 3) `mega.co.nz` corpus 4 (sigma 4) `mega.nz` corpus 4 (sigma 4) `onrender.com` corpus 2 (sigma 2) `pages.dev` corpus 3 (sigma 3) `paste.ee` corpus 3 (sigma 3) `pastebin.com` corpus 3 (sigma 3) `pastebin.pl` corpus 3 (sigma 3) `pastetext.net` corpus 3 (sigma 3) `pixeldrain.com` corpus 2 (sigma 2) `privatlab.com` corpus 3 (sigma 3) `privatlab.net` corpus 3 (sigma 3) `send.exploit.in` corpus 3 (sigma 3) `sendspace.com` corpus 3 (sigma 3) `storage.googleapis.com` corpus 3 (sigma 3) `storjshare.io` corpus 2 (sigma 2) `supabase.co` corpus 2 (sigma 2) `temp.sh` corpus 3 (sigma 3) `transfer.sh` corpus 3 (sigma 3) `trycloudflare.com` corpus 4 (sigma 4) `ufile.io` corpus 3 (sigma 3) `w3spaces.com` corpus 3 (sigma 3) `workers.dev` corpus 3 (sigma 3)
`Image`	match	`:\$Recycle.bin` corpus 2 (sigma 2) `:\Perflogs\` corpus 7 (sigma 7) `:\Temp\` corpus 12 (sigma 12) `:\Users\Default\` corpus 3 (sigma 3) `:\Users\Public\` corpus 14 (sigma 14) `:\Windows\Fonts\` corpus 3 (sigma 3) `:\Windows\IME\` corpus 3 (sigma 3) `:\Windows\System32\Tasks\` corpus 4 (sigma 4) `:\Windows\Tasks\` corpus 5 (sigma 5) `:\Windows\Temp\` corpus 9 (sigma 9) `\AppData\Temp\` corpus 3 (sigma 3) `\Windows\addins\` corpus 4 (sigma 4) `\config\systemprofile\` corpus 4 (sigma 4)
`Initiated`	eq	`true` corpus 40 (sigma 40)