Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
related:
- id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
type: obsolete
status: test
description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-30
modified: 2025-12-10
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection_paths:
Image|contains:
- ':\$Recycle.bin'
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Fonts\'
- ':\Windows\IME\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Temp\'
- '\config\systemprofile\'
- '\Windows\addins\'
selection_domains:
Initiated: 'true'
DestinationHostname|endswith:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.co.nz'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
falsepositives:
- Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
level: high
imNetworkSession
| where ((SrcProcessName contains ":\\$Recycle.bin" or SrcProcessName contains ":\\Perflogs\\" or SrcProcessName contains ":\\Temp\\" or SrcProcessName contains ":\\Users\\Default\\" or SrcProcessName contains ":\\Users\\Public\\" or SrcProcessName contains ":\\Windows\\Fonts\\" or SrcProcessName contains ":\\Windows\\IME\\" or SrcProcessName contains ":\\Windows\\System32\\Tasks\\" or SrcProcessName contains ":\\Windows\\Tasks\\" or SrcProcessName contains ":\\Windows\\Temp\\" or SrcProcessName contains "\\AppData\\Temp\\" or SrcProcessName contains "\\config\\systemprofile\\" or SrcProcessName contains "\\Windows\\addins\\") or (DstProcessName contains ":\\$Recycle.bin" or DstProcessName contains ":\\Perflogs\\" or DstProcessName contains ":\\Temp\\" or DstProcessName contains ":\\Users\\Default\\" or DstProcessName contains ":\\Users\\Public\\" or DstProcessName contains ":\\Windows\\Fonts\\" or DstProcessName contains ":\\Windows\\IME\\" or DstProcessName contains ":\\Windows\\System32\\Tasks\\" or DstProcessName contains ":\\Windows\\Tasks\\" or DstProcessName contains ":\\Windows\\Temp\\" or DstProcessName contains "\\AppData\\Temp\\" or DstProcessName contains "\\config\\systemprofile\\" or DstProcessName contains "\\Windows\\addins\\")) and (NetworkDirection =~ "true" and (DstHostname endswith ".githubusercontent.com" or DstHostname endswith "anonfiles.com" or DstHostname endswith "cdn.discordapp.com" or DstHostname endswith "ddns.net" or DstHostname endswith "dl.dropboxusercontent.com" or DstHostname endswith "ghostbin.co" or DstHostname endswith "github.com" or DstHostname endswith "glitch.me" or DstHostname endswith "gofile.io" or DstHostname endswith "hastebin.com" or DstHostname endswith "mediafire.com" or DstHostname endswith "mega.co.nz" or DstHostname endswith "mega.nz" or DstHostname endswith "onrender.com" or DstHostname endswith "pages.dev" or DstHostname endswith "paste.ee" or DstHostname endswith "pastebin.com" or DstHostname endswith "pastebin.pl" or DstHostname endswith "pastetext.net" or DstHostname endswith "pixeldrain.com" or DstHostname endswith "privatlab.com" or DstHostname endswith "privatlab.net" or DstHostname endswith "send.exploit.in" or DstHostname endswith "sendspace.com" or DstHostname endswith "storage.googleapis.com" or DstHostname endswith "storjshare.io" or DstHostname endswith "supabase.co" or DstHostname endswith "temp.sh" or DstHostname endswith "transfer.sh" or DstHostname endswith "trycloudflare.com" or DstHostname endswith "ufile.io" or DstHostname endswith "w3spaces.com" or DstHostname endswith "workers.dev"))| Sentinel Table | Notes |
|---|---|
imNetworkSession | Ensure this data connector is enabled |