diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml index 24987fcd4..e2b7a29c5 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml @@ -10,7 +10,7 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 -modified: 2024-08-22 +modified: 2025-12-10 tags: - attack.defense-evasion logsource: @@ -26,6 +26,7 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'github.com' - 'glitch.me' - 'gofile.io' - 'hastebin.com' diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml index b48b96a21..1c7fff77b 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022-06-28 -modified: 2024-10-21 +modified: 2025-12-10 tags: - attack.defense-evasion - attack.persistence @@ -27,6 +27,7 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'github.com' - 'glitch.me' - 'gofile.io' - 'hastebin.com' diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index f9d47b1cd..d26b658bd 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -12,7 +12,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022-08-24 -modified: 2024-10-21 +modified: 2025-12-10 tags: - attack.defense-evasion - attack.s0139 @@ -29,6 +29,7 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'github.com' - 'glitch.me' - 'gofile.io' - 'hastebin.com' diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 021b53c2c..c0d6b0107 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -11,7 +11,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022-08-24 -modified: 2024-10-21 +modified: 2025-12-10 tags: - attack.defense-evasion - attack.s0139 @@ -28,6 +28,7 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'github.com' - 'glitch.me' - 'gofile.io' - 'hastebin.com' diff --git a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml index e177d0288..735186bec 100644 --- a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml +++ b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml @@ -13,7 +13,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2018-08-30 -modified: 2024-10-21 +modified: 2025-12-10 tags: - attack.command-and-control - attack.t1105 @@ -45,6 +45,7 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'github.com' - 'glitch.me' - 'gofile.io' - 'hastebin.com' diff --git a/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml b/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml index 4037c6136..cd0d57681 100644 --- a/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml +++ b/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml @@ -7,7 +7,7 @@ references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2017-03-19 -modified: 2024-08-22 +modified: 2025-12-10 tags: - attack.command-and-control - attack.t1105 @@ -22,11 +22,18 @@ detection: - ':\Perflogs\' - ':\Temp\' - ':\Users\Default\' + - ':\Users\Public\' - ':\Windows\Fonts\' - ':\Windows\IME\' - ':\Windows\System32\Tasks\' - ':\Windows\Tasks\' - '\config\systemprofile\' + - '\Contacts\' + - '\Favorites\' + - '\Favourites\' + - '\Music\' + - '\Pictures\' + - '\Videos\' - '\Windows\addins\' filter_main_domains: # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 @@ -37,6 +44,7 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'github.com' - 'glitch.me' - 'gofile.io' - 'hastebin.com' diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index 54d7c2073..0e61d86aa 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -17,7 +17,7 @@ references: - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-15 -modified: 2025-12-01 +modified: 2025-12-10 tags: - attack.defense-evasion - attack.t1027 @@ -43,6 +43,7 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'github.com' - 'glitch.me' - 'gofile.io' - 'hastebin.com' diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index 110fc8ee1..a404e39aa 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -7,7 +7,7 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-05 -modified: 2024-10-21 +modified: 2025-12-10 tags: - attack.execution logsource: @@ -25,6 +25,7 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'github.com' - 'glitch.me' - 'gofile.io' - 'hastebin.com' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml index b6c505016..98f07c2d5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml @@ -9,7 +9,7 @@ references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) date: 2024-02-23 -modified: 2024-10-21 +modified: 2024-12-10 tags: - attack.execution logsource: @@ -32,6 +32,7 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + # - 'github.com' See note above - 'glitch.me' - 'gofile.io' - 'hastebin.com' diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index 2c332cea7..f9360b9e8 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -8,7 +8,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-05 -modified: 2024-10-21 +modified: 2025-12-10 tags: - attack.execution logsource: @@ -26,6 +26,7 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'github.com' - 'glitch.me' - 'gofile.io' - 'hastebin.com'