LoFP / some installers located in the temp directory might communicate with the github domains in order to download additional software. baseline these cases or move the github domain to a lower level hunting rule.

condition: all of selection_*
selection_domains:
  DestinationHostname|endswith:
  - .githubusercontent.com
  - anonfiles.com
  - cdn.discordapp.com
  - ddns.net
  - dl.dropboxusercontent.com
  - ghostbin.co
  - glitch.me
  - gofile.io
  - hastebin.com
  - mediafire.com
  - mega.co.nz
  - mega.nz
  - onrender.com
  - pages.dev
  - paste.ee
  - pastebin.com
  - pastebin.pl
  - pastetext.net
  - pixeldrain.com
  - privatlab.com
  - privatlab.net
  - send.exploit.in
  - sendspace.com
  - storage.googleapis.com
  - storjshare.io
  - supabase.co
  - temp.sh
  - transfer.sh
  - trycloudflare.com
  - ufile.io
  - w3spaces.com
  - workers.dev
  Initiated: 'true'
selection_paths:
  Image|contains:
  - :\$Recycle.bin
  - :\Perflogs\
  - :\Temp\
  - :\Users\Default\
  - :\Users\Public\
  - :\Windows\Fonts\
  - :\Windows\IME\
  - :\Windows\System32\Tasks\
  - :\Windows\Tasks\
  - :\Windows\Temp\
  - \AppData\Temp\
  - \config\systemprofile\
  - \Windows\addins\