Skip to content
Threat Feed
high advisory

Suspicious File Download from File Sharing Websites - Alternate Data Stream Detection

This brief details a high-severity detection aimed at identifying suspicious downloads of executable or script-like files from commonly abused file-sharing and pastebin domains, evidenced by the creation of a 'Zone.Identifier' Alternate Data Stream on Windows systems, a common initial access or payload delivery technique.

This brief details a detection focused on identifying highly suspicious file downloads from commonly abused file-sharing and pastebin websites. Attackers frequently leverage legitimate services like GitHub, Mega.nz, or various paste sites to host malicious payloads, making it difficult for traditional network filtering to distinguish between benign and malicious traffic. The detection specifically targets downloads of executable or script-like files (e.g., .exe, .dll, .hta, .vbs) that trigger the creation of a 'Zone.Identifier' Alternate Data Stream (ADS) on Windows systems. This ADS indicates the file originated from an untrusted internet zone, serving as a critical indicator when combined with suspicious file types and source domains. This behavior is a common initial access or payload delivery method, bypassing some security controls by using trusted services.

Impact

Successful exploitation following such a download typically leads to initial compromise of the endpoint. The downloaded file, if executed, could be any form of malware, including ransomware, information stealers, or remote access Trojans (RATs), granting attackers unauthorized access to the victim's system and potentially the broader network. This method is often used for targeted attacks against individuals or organizations, as attackers can tailor the payload and social engineering lures. The impact includes data exfiltration, system damage, lateral movement, and financial loss, contingent on the specific payload delivered by the attacker.

Recommendation

  • Deploy the Sigma rule in this brief to your SIEM and tune for your environment.
  • Ensure Sysmon logging, specifically for FileStreamHash events (Event ID 21), is enabled on all Windows endpoints to capture the necessary telemetry for the rule.
  • Consider implementing network-level blocking or content filtering for the domains listed in the selection_domain of the provided Sigma rule, especially for environments where access to these sites is not business-critical, to prevent initial download attempts.

Detection coverage 1

Suspicious File Download From File Sharing Websites - File Stream

high

Detects the download of suspicious executable or script file types from well-known file and paste sharing domains, identified by the creation of a 'Zone.Identifier' Alternate Data Stream.

sigma tactics: defense_evasion techniques: T1564.004 sources: create_stream_hash, windows

Detection queries are available on the platform. Get full rules →