Techniques
Sample rules
Suspicious File Download From File Sharing Websites - File Stream
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detects the download of suspicious file type from a well-known file and paste sharing domain
Detection logic
condition: all of selection_*
selection_domain:
Contents|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- pages.dev
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- pixeldrain.com
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- trycloudflare.com
- ufile.io
- w3spaces.com
- workers.dev
selection_extension:
TargetFilename|contains:
- .cpl:Zone
- .dll:Zone
- .exe:Zone
- .hta:Zone
- .lnk:Zone
- .one:Zone
- .vbe:Zone
- .vbs:Zone
- .xll:Zone