update: suspicious file activity related to file sharing websites

rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml

@@ -10,7 +10,7 @@ references:
     - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-01-11
-modified: 2024-08-22
+modified: 2025-08-01
 tags:
     - attack.defense-evasion
 logsource:
@@ -21,8 +21,11 @@ detection:
         EventID: 854
         Path|contains:
             - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
+            - '0x0.st'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
@@ -50,6 +53,7 @@ detection:
             - 'ufile.io'
             - 'w3spaces.com'
             - 'workers.dev'
+            - 'x0.at'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml

@@ -9,7 +9,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022-06-28
-modified: 2024-10-21
+modified: 2025-08-01
 tags:
     - attack.defense-evasion
     - attack.persistence
@@ -22,8 +22,11 @@ detection:
         EventID: 16403
         RemoteName|contains:
             - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
+            - '0x0.st'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
@@ -52,6 +55,7 @@ detection:
             - 'ufile.io'
             - 'w3spaces.com'
             - 'workers.dev'
+            - 'x0.at'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml

@@ -12,7 +12,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022-08-24
-modified: 2024-10-21
+modified: 2025-08-01
 tags:
     - attack.defense-evasion
     - attack.s0139
@@ -24,8 +24,11 @@ detection:
     selection_domain:
         Contents|contains:
             - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
+            - '0x0.st'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
@@ -54,6 +57,7 @@ detection:
             - 'ufile.io'
             - 'w3spaces.com'
             - 'workers.dev'
+            - 'x0.at'
     selection_extension:
         TargetFilename|contains:
             - '.cpl:Zone'

rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml

@@ -11,7 +11,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022-08-24
-modified: 2024-10-21
+modified: 2025-08-01
 tags:
     - attack.defense-evasion
     - attack.s0139
@@ -23,8 +23,11 @@ detection:
     selection_domain:
         Contents|contains:
             - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
+            - '0x0.st'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
@@ -53,6 +56,7 @@ detection:
             - 'ufile.io'
             - 'w3spaces.com'
             - 'workers.dev'
+            - 'x0.at'
     selection_extension:
         TargetFilename|contains:
             - '.bat:Zone'

rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml

@@ -16,7 +16,7 @@ references:
     - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
 author: Sorina Ionescu, X__Junior (Nextron Systems)
 date: 2022-08-17
-modified: 2024-10-21
+modified: 2025-08-01
 tags:
     - attack.command-and-control
     - attack.t1102
@@ -29,10 +29,13 @@ detection:
         Initiated: 'true'
         DestinationHostname|endswith:
             - '.t.me'
+            - '0x0.st'
             - '4shared.com'
             - 'abuse.ch'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'cloudflare.com'
             - 'ddns.net'
             - 'discord.com'
@@ -76,6 +79,7 @@ detection:
             - 'w3spaces.com'
             - 'wetransfer.com'
             - 'workers.dev'
+            - 'x0.at'
             - 'youtube.com'
     # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
     # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results

rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml

@@ -13,7 +13,7 @@ references:
     - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2018-08-30
-modified: 2024-10-21
+modified: 2025-08-01
 tags:
     - attack.command-and-control
     - attack.t1105
@@ -40,8 +40,11 @@ detection:
         Initiated: 'true'
         DestinationHostname|endswith:
             - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
+            - '0x0.st'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
@@ -71,6 +74,7 @@ detection:
             - 'ufile.io'
             - 'w3spaces.com'
             - 'workers.dev'
+            - 'x0.at'
     condition: all of selection_*
 falsepositives:
     - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.

rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml

@@ -7,7 +7,7 @@ references:
     - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2017-03-19
-modified: 2024-08-22
+modified: 2025-08-01
 tags:
     - attack.command-and-control
     - attack.t1105
@@ -32,8 +32,11 @@ detection:
         # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
         DestinationHostname|endswith:
             - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
+            - '0x0.st'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
@@ -63,6 +66,7 @@ detection:
             - 'ufile.io'
             - 'w3spaces.com'
             - 'workers.dev'
+            - 'x0.at'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml

@@ -11,7 +11,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022-06-28
-modified: 2024-08-22
+modified: 2025-08-01
 tags:
     - attack.defense-evasion
     - attack.persistence
@@ -33,8 +33,11 @@ detection:
     selection_domain:
         CommandLine|contains:
             - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
+            - '0x0.st'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
@@ -62,6 +65,7 @@ detection:
             - 'ufile.io'
             - 'w3spaces.com'
             - 'workers.dev'
+            - 'x0.at'
     condition: all of selection_*
 falsepositives:
     - Some legitimate apps use this, but limited.

rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml

@@ -14,9 +14,10 @@ references:
     - https://twitter.com/egre55/status/1087685529016193025
     - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
+    - https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-02-15
-modified: 2024-08-22
+modified: 2025-08-01
 tags:
     - attack.defense-evasion
     - attack.t1027
@@ -34,8 +35,11 @@ detection:
     selection_http:
         CommandLine|contains:
             - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
+            - '0x0.st'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
@@ -63,6 +67,7 @@ detection:
             - 'ufile.io'
             - 'w3spaces.com'
             - 'workers.dev'
+            - 'x0.at'
     condition: all of selection_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml

@@ -7,7 +7,7 @@ references:
     - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-05-05
-modified: 2024-10-21
+modified: 2025-08-01
 tags:
     - attack.execution
 logsource:
@@ -20,8 +20,11 @@ detection:
     selection_websites:
         CommandLine|contains:
             - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
+            - '0x0.st'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
@@ -50,6 +53,7 @@ detection:
             - 'ufile.io'
             - 'w3spaces.com'
             - 'workers.dev'
+            - 'x0.at'
     selection_http:
         CommandLine|contains: 'http'
     selection_flag:

rules/windows/process_creation/proc_creation_win_curl_upload_file_sharing_websites.yml

@@ -0,0 +1,52 @@
+title: Curl File Upload To File Sharing Websites
+id: e328cc73-f92a-42fb-b3fa-7c2cffda981a
+related:
+    - id: 00bca14a-df4e-4649-9054-3f2aa676bc04
+      type: derived
+    - id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
+      type: similar
+status: experimental
+description: Detects usage of curl to upload files to known file sharing domains, which may indicate data exfiltration.
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+references:
+    - https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/
+date: 2025-08-01
+tags:
+    - attack.exfiltration
+    - attack.t1567.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\curl.exe'
+        - OriginalFileName: 'curl.exe'
+    selection_cli_domain:
+        CommandLine|contains:
+            - '0x0.st'
+            - 'bashupload.com'
+            - 'chunk.io'
+            - 'file.io'
+            - 'filebin.net'
+            - 'pastebin'
+            - 'send.firefox.com'
+            - 'temp.sh'
+            - 'transfer.sh'
+            - 'ufile.io'
+            - 'uploadfiles.io'
+            - 'wetransfer.com'
+            - 'x0.at'
+    selection_cli_flags:
+        - CommandLine|contains:
+              - ' --form'
+              - ' --upload-file'
+              - ' --data'
+              - ' -X POST'
+              - ' --request POST '
+        - CommandLine|re:
+              - '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
+              - '\s-sT\s'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate file uploads to these services by administrators or developers
+level: high

rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml

@@ -9,7 +9,7 @@ references:
     - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-02-23
-modified: 2024-10-21
+modified: 2025-08-01
 tags:
     - attack.execution
 logsource:
@@ -27,8 +27,11 @@ detection:
         CommandLine|contains:
             # Note: You might want to baseline the github domain before including it
             # - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea).
+            - '0x0.st'
             - 'anonfiles.com'
+            - 'bashupload.com'
             - 'cdn.discordapp.com'
+            - 'chunk.io'
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
@@ -57,6 +60,7 @@ detection:
             - 'ufile.io'
             - 'w3spaces.com'
             - 'workers.dev'
+            - 'x0.at'
     selection_download:
         CommandLine|contains:
             - '.DownloadString('