sigmaDRL-1.1from SigmaHQ/sigma

Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder

Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1105

Rule sourcerules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml

title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
related:
    - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
      type: obsolete
status: test
description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
references:
    - https://twitter.com/M_haggis/status/900741347035889665
    - https://twitter.com/M_haggis/status/1032799638213066752
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-30
modified: 2025-12-10
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection_paths:
        Image|contains:
            - ':\$Recycle.bin'
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Fonts\'
            - ':\Windows\IME\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - '\AppData\Temp\'
            - '\config\systemprofile\'
            - '\Windows\addins\'
    selection_domains:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.co.nz'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'pixeldrain.com'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: all of selection_*
falsepositives:
    - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
level: high