some installers located in the temp directory might communicate with the github domains in order to download additional software. baseline these cases or move the github domain to a lower level hunting rule.

Techniques

t1105

Sample rules

Microsoft Binary Suspicious Communication Endpoint

source: sigma
technicques:
- t1105

Description

Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.

Detection logic

condition: all of selection_*
selection_domains:
  DestinationHostname|endswith:
  - .githubusercontent.com
  - anonfiles.com
  - cdn.discordapp.com
  - cdn.discordapp.com/attachments/
  - ddns.net
  - dl.dropboxusercontent.com
  - ghostbin.co
  - glitch.me
  - gofile.io
  - hastebin.com
  - mediafire.com
  - mega.co.nz
  - mega.nz
  - onrender.com
  - paste.ee
  - pastebin.com
  - pastebin.pl
  - pastetext.net
  - privatlab.com
  - privatlab.net
  - send.exploit.in
  - sendspace.com
  - storage.googleapis.com
  - storjshare.io
  - supabase.co
  - temp.sh
  - transfer.sh
  - ufile.io
  Initiated: 'true'
selection_paths:
  Image|contains:
  - :\PerfLogs\
  - :\Temp\
  - :\Users\Public\
  - :\Windows\System32\Tasks\
  - :\Windows\Tasks\
  - :\Windows\Temp\
  - \AppData\Temp\