Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE

    Monday, October 28, 2024 In: Threat Research Print

    Date: 10/28/2024

    Severity: Medium

    Summary

    The report titled "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE" discusses the security risks associated with downloading files from file-sharing domains using PowerShell. It highlights how attackers can exploit PowerShell to execute malicious scripts, often bypassing traditional security measures. The document emphasizes the importance of monitoring PowerShell activity, implementing security protocols, and educating users about the dangers of downloading files from untrusted sources.

    Indicators of Compromise (IOC) List

    Image

    '\powershell.exe'

    '\pwsh.exe'

    OriginalFileName

    'PowerShell.EXE'

    'pwsh.dll'

    CommandLine

    '.githubusercontent.com'

    'anonfiles.com'

    'cdn.discordapp.com'

    'ddns.net'

    'dl.dropboxusercontent.com'

    'ghostbin.co'

    'glitch.me'

    'gofile.io'

    'hastebin.com'

    'mediafire.com'

    'mega.nz'

    'onrender.com'

    'pages.dev'

    'paste.ee'

    'pastebin.com'

    'pastebin.pl'

    'pastetext.net'

    'pixeldrain.com'

    'privatlab.com'

    'privatlab.net'

    'send.exploit.in'

    'sendspace.com'

    'storage.googleapis.com'

    'storjshare.io'

    'supabase.co'

    'temp.sh'

    'transfer.sh'

    'trycloudflare.com'

    'ufile.io'

    'w3spaces.com'

    'workers.dev'

    '.DownloadString('

    '.DownloadFile('

    'Invoke-WebRequest '

    'iwr '

    'wget '

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (((resourcename in ("Sysmon") AND eventtype = "1") AND image IN ("\powershell.exe","\pwsh.exe")) AND originalfilename IN ("PowerShell.EXE","pwsh.dll")) AND commandline IN (".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","pixeldrain.com","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev",".DownloadString(",".DownloadFile(","Invoke-WebRequest","iwr","wget")

    Detection Query 2

    (((technologygroup = "EDR") AND image IN ("\powershell.exe","\pwsh.exe")) AND originalfilename IN ("PowerShell.EXE","pwsh.dll")) AND commandline IN (".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","pixeldrain.com","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev",".DownloadString(",".DownloadFile(","Invoke-WebRequest","iwr","wget")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml   


    Tags

    SigmaMalwarePowerShell Attack

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.