security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #5804 from @swachchhanda000 - enhance rules related with file download from file sharing websites

Browse Source 
update: Suspicious Remote AppX Package Locations - add github.com
update: BITS Transfer Job Download From File Sharing Domains - add github.com
update: Suspicious File Download From File Sharing Websites - File Stream - add github.com
update: Unusual File Download From File Sharing Websites - File Stream - add github.com
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - add github.com
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - add github.com
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add github.com
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - add github.com
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - add github.com
This commit is contained in:
Swachchhanda Shrawan Poudel
2025-12-12 08:04:27 +05:45
committed by GitHub
parent c5b881019a
commit 685194383b
10 changed files with 27 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml
+2 -1
View File
@@ -10,7 +10,7 @@ references:
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2024-08-22
modified: 2025-12-10
tags:
- attack.defense-evasion
logsource:
@@ -26,6 +26,7 @@ detection:
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml
+2 -1
View File
@@ -9,7 +9,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2024-10-21
modified: 2025-12-10
tags:
- attack.defense-evasion
- attack.persistence
@@ -27,6 +27,7 @@ detection:
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml
+2 -1
View File
@@ -12,7 +12,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2024-10-21
modified: 2025-12-10
tags:
- attack.defense-evasion
- attack.s0139
@@ -29,6 +29,7 @@ detection:
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml
+2 -1
View File
@@ -11,7 +11,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2024-10-21
modified: 2025-12-10
tags:
- attack.defense-evasion
- attack.s0139
@@ -28,6 +28,7 @@ detection:
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml
+2 -1
View File
@@ -13,7 +13,7 @@ references:
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-30
modified: 2024-10-21
modified: 2025-12-10
tags:
- attack.command-and-control
- attack.t1105
@@ -45,6 +45,7 @@ detection:
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml
+9 -1
View File
@@ -7,7 +7,7 @@ references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-03-19
modified: 2024-08-22
modified: 2025-12-10
tags:
- attack.command-and-control
- attack.t1105
@@ -22,11 +22,18 @@ detection:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Fonts\'
- ':\Windows\IME\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- '\config\systemprofile\'
- '\Contacts\'
- '\Favorites\'
- '\Favourites\'
- '\Music\'
- '\Pictures\'
- '\Videos\'
- '\Windows\addins\'
filter_main_domains:
# Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
@@ -37,6 +44,7 @@ detection:
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml
+2 -1
View File
@@ -17,7 +17,7 @@ references:
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
modified: 2025-12-10
tags:
- attack.defense-evasion
- attack.t1027
@@ -43,6 +43,7 @@ detection:
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml
+2 -1
View File
@@ -7,7 +7,7 @@ references:
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
modified: 2024-10-21
modified: 2025-12-10
tags:
- attack.execution
logsource:
@@ -25,6 +25,7 @@ detection:
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml
+2 -1
View File
@@ -9,7 +9,7 @@ references:
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
modified: 2024-10-21
modified: 2024-12-10
tags:
- attack.execution
logsource:
@@ -32,6 +32,7 @@ detection:
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
# - 'github.com' See note above
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml
+2 -1
View File
@@ -8,7 +8,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
modified: 2024-10-21
modified: 2025-12-10
tags:
- attack.execution
logsource:
@@ -26,6 +26,7 @@ detection:
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'