LoFP LoFP / some system administrators or development teams may use tools like curl or powershell to download files from public services for legitimate automation or scripting purposes. however, use of these binaries to contact domains commonly associated with file sharing or temporary hosting should be carefully reviewed, as such services are frequently abused by threat actors for malware delivery and staging. tuning by domain allowlisting or internal usage policies is recommended.

Techniques

Sample rules

Cisco NVM - Suspicious Download From File Sharing Website

Description

This analytic detects suspicious downloads from common file sharing and content delivery platforms using known living-off-the-land binaries (LOLBins) such as ‘curl.exe’, ‘certutil.exe’, ‘msiexec.exe’, ‘powershell.exe’, ‘wmic.exe’, and others. It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information. These tools are often abused by adversaries and malware to retrieve payloads from public hosting platforms such as GitHub, Discord CDN, Transfer.sh, or Pastebin. This detection helps identify potential initial access, payload staging, or command and control activity using legitimate services.

Detection logic

`cisco_network_visibility_module_flowdata`
(
  (process_name = "svchost.exe" process_arguments = "*-s BITS*")
  OR
  process_name IN (
      "curl.exe", "wmic.exe", "wscript.exe", "cscript.exe", "certutil.exe",
      "msiexec.exe", "hh.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe",
      "installutil.exe", "certoc.exe", "bitsadmin.exe"
  )
)
dest_hostname IN (
    "*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
    "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
    "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
    "*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
    "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
    "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
    "*ufile.io*", "*w3spaces.com*", "*workers.dev*"
  )

| stats count min(_time) as firstTime max(_time) as lastTime
        values(parent_process_arguments) as parent_process_arguments
        values(process_arguments) as process_arguments
        values(parent_process_hash) as parent_process_hash
        values(process_hash) as process_hash
        values(module_name_list) as module_name_list
        values(module_hash_list) as module_hash_list
        values(dest_port) as dest_port
        values(aliul) as additional_logged_in_users_list
        values(dest_hostname) as dest_hostname
        by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table
  parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
  process_integrity_level process_path process_name process_arguments process_hash process_id
  additional_logged_in_users_list module_name_list module_hash_list
  src dest_hostname dest dest_port transport firstTime lastTime

| `cisco_nvm___suspicious_download_from_file_sharing_website_filter`