Suspicious Download from File Sharing Website via LOLBins
Detection of suspicious downloads from file sharing and content delivery platforms using living-off-the-land binaries (LOLBins) to identify potential initial access, payload staging, or command and control activity.
This threat brief addresses the abuse of living-off-the-land binaries (LOLBins) to download malicious payloads from file-sharing websites. Attackers leverage tools like curl.exe, certutil.exe, msiexec.exe, powershell.exe, and wmic.exe to retrieve payloads from public hosting platforms such as GitHub, Discord CDN, Transfer.sh, or Pastebin. This activity often bypasses traditional security measures, blending malicious network traffic with legitimate system processes. The detection outlined here relies on Cisco Network Visibility Module logs to provide network flow activity with process context, including command-line arguments, process path, and parent process information. Identifying this behavior is crucial for preventing initial access, detecting payload staging, and uncovering command and control activities disguised as normal operations. This approach is especially relevant given the increasing sophistication of threat actors and their ability to mask malicious behavior within trusted system processes.
Attack Chain
- Initial Access: The attacker gains initial access through an undisclosed method (e.g., compromised account, software vulnerability).
- LOLBin Execution: A living-off-the-land binary (e.g.,
powershell.exe,curl.exe) is executed on the compromised system. - Download Attempt: The LOLBin is used to download a file from a public file-sharing service (e.g.,
githubusercontent.com,pastebin.com). The command line includes the URL of the hosted payload. - Payload Staging: The downloaded file is saved to a temporary location on the system (e.g.,
C:\Windows\Temp). - Execution: The downloaded file is executed. This could be a script (e.g., PowerShell, VBScript) or an executable.
- Persistence: The attacker establishes persistence by creating a scheduled task, modifying registry keys, or other methods.
- Lateral Movement: The attacker uses compromised credentials or exploits vulnerabilities to move laterally to other systems on the network.
- Objective Achieved: The attacker achieves their final objective, which could be data exfiltration, ransomware deployment, or other malicious activities.
Impact
Successful exploitation can lead to initial access, payload staging, command and control, and ultimately data theft, system compromise, or ransomware deployment. The scope of impact can range from individual endpoints to entire networks, depending on the attacker's objectives and lateral movement capabilities. Given that LOLBins are commonly used system tools, detecting malicious use requires careful analysis of process execution and network connections. Failure to detect this activity can result in significant financial losses, reputational damage, and operational disruption. Recent campaigns, such as those attributed to Mint Sandstorm, highlight the risk of targeting high-profile individuals at universities and research organizations.
Recommendation
- Deploy the provided Sigma rules to detect suspicious downloads from file-sharing websites using LOLBins, ingesting Cisco NVM flow data.
- Monitor network connections from LOLBins (
curl.exe,certutil.exe,msiexec.exe,powershell.exe,wmic.exe) to the listed file-sharing domains in the IOC table. - Review and tune the
cisco_nvm___suspicious_download_from_file_sharing_website_filtermacro to reduce false positives based on internal usage patterns. - Enable and monitor Cisco Network Visibility Module Flow Data to capture the required network and process context.
- Ingest logs using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) as described in the "how_to_implement" section, to provide the necessary data for the Sigma rules.
Detection coverage 3
Suspicious PowerShell Download from File Sharing Site
highDetects PowerShell downloading files from known file sharing domains.
CertUtil Download from File Sharing Site
highDetects certutil.exe downloading files from known file sharing domains.
BITSAdmin Download from File Sharing Site
highDetects bitsadmin.exe downloading files from known file sharing domains.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
26
domain
| Type | Value |
|---|---|
| domain | *.githubusercontent.com* |
| domain | *anonfiles.com* |
| domain | *cdn.discordapp.com* |
| domain | *ddns.net* |
| domain | *dl.dropboxusercontent.com* |
| domain | *ghostbin.co* |
| domain | *glitch.me* |
| domain | *gofile.io* |
| domain | *hastebin.com* |
| domain | *mediafire.com* |
| domain | *mega.nz* |
| domain | *onrender.com* |
| domain | *pages.dev* |
| domain | *paste.ee* |
| domain | *pastetext.net* |
| domain | *send.exploit.in* |
| domain | *sendspace.com* |
| domain | *storage.googleapis.com* |
| domain | *storjshare.io* |
| domain | *supabase.co* |
| domain | *temp.sh* |
| domain | *transfer.sh* |
| domain | *trycloudflare.com* |
| domain | *ufile.io* |
| domain | *w3spaces.com* |
| domain | *workers.dev* |