Merge PR SigmaHQ#5804 from @swachchhanda000 - enhance rules related with file download from file sharing websites

swachchhanda000 · web-flow · commit 685194383b4d · 2025-12-12T08:04:27.000+05:45
update: Suspicious Remote AppX Package Locations - add github.com
update: BITS Transfer Job Download From File Sharing Domains - add github.com
update: Suspicious File Download From File Sharing Websites - File Stream - add github.com
update: Unusual File Download From File Sharing Websites - File Stream - add github.com
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - add github.com
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - add github.com
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add github.com
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - add github.com
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - add github.com
diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml
@@ -10,7 +10,7 @@ references:
     - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-01-11
-modified: 2024-08-22
+modified: 2025-12-10
 tags:
     - attack.defense-evasion
 logsource:
@@ -26,6 +26,7 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'github.com'
             - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml
@@ -9,7 +9,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022-06-28
-modified: 2024-10-21
+modified: 2025-12-10
 tags:
     - attack.defense-evasion
     - attack.persistence
@@ -27,6 +27,7 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'github.com'
             - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml
@@ -12,7 +12,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022-08-24
-modified: 2024-10-21
+modified: 2025-12-10
 tags:
     - attack.defense-evasion
     - attack.s0139
@@ -29,6 +29,7 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'github.com'
             - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml
@@ -11,7 +11,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022-08-24
-modified: 2024-10-21
+modified: 2025-12-10
 tags:
     - attack.defense-evasion
     - attack.s0139
@@ -28,6 +28,7 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'github.com'
             - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
diff --git a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml
@@ -13,7 +13,7 @@ references:
     - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2018-08-30
-modified: 2024-10-21
+modified: 2025-12-10
 tags:
     - attack.command-and-control
     - attack.t1105
@@ -45,6 +45,7 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'github.com'
             - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
diff --git a/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml b/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml
@@ -7,7 +7,7 @@ references:
     - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2017-03-19
-modified: 2024-08-22
+modified: 2025-12-10
 tags:
     - attack.command-and-control
     - attack.t1105
@@ -22,11 +22,18 @@ detection:
             - ':\Perflogs\'
             - ':\Temp\'
             - ':\Users\Default\'
+            - ':\Users\Public\'
             - ':\Windows\Fonts\'
             - ':\Windows\IME\'
             - ':\Windows\System32\Tasks\'
             - ':\Windows\Tasks\'
             - '\config\systemprofile\'
+            - '\Contacts\'
+            - '\Favorites\'
+            - '\Favourites\'
+            - '\Music\'
+            - '\Pictures\'
+            - '\Videos\'
             - '\Windows\addins\'
     filter_main_domains:
         # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
@@ -37,6 +44,7 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'github.com'
             - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml
@@ -17,7 +17,7 @@ references:
     - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-02-15
-modified: 2025-12-01
+modified: 2025-12-10
 tags:
     - attack.defense-evasion
     - attack.t1027
@@ -43,6 +43,7 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'github.com'
             - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml
@@ -7,7 +7,7 @@ references:
     - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-05-05
-modified: 2024-10-21
+modified: 2025-12-10
 tags:
     - attack.execution
 logsource:
@@ -25,6 +25,7 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'github.com'
             - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml
@@ -9,7 +9,7 @@ references:
     - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-02-23
-modified: 2024-10-21
+modified: 2024-12-10
 tags:
     - attack.execution
 logsource:
@@ -32,6 +32,7 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            # - 'github.com'  See note above
             - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml
@@ -8,7 +8,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-05-05
-modified: 2024-10-21
+modified: 2025-12-10
 tags:
     - attack.execution
 logsource:
@@ -26,6 +26,7 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'github.com'
             - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
