Unusual File Download From File Sharing Websites - File Stream
This brief details the detection of suspicious file types (batch, command, PowerShell scripts) downloaded from well-known public file and paste sharing domains, leveraging the `Zone.Identifier` Alternate Data Stream to signal potential malware delivery or covert data transfer, which could lead to system compromise and data exfiltration.
This threat brief focuses on a behavioral detection designed to identify suspicious file downloads from public file and paste sharing websites. Attackers frequently leverage legitimate services like GitHub, Mega.nz, Pastebin, or Discord to host malicious payloads, command and control configurations, or exfiltrated data. This method allows them to bypass traditional network filtering and evade detection by blending in with legitimate traffic. The detection specifically targets files with common scripting extensions (.bat, .cmd, .ps1) that also carry the Zone.Identifier Alternate Data Stream, a Windows mechanism indicating a file's origin from the internet. The presence of this stream on executable or script files downloaded from untrusted public sources is a strong indicator of potential malicious activity, such as the delivery of initial access payloads, second-stage malware, or tools for persistence. Defenders should be aware that such downloads are often precursors to full system compromise.
Attack Chain
- Initial access is achieved, potentially via a phishing campaign, compromised legitimate software, or exploitation of a vulnerable internet-facing application, granting the attacker initial execution capabilities on a target system.
- The attacker utilizes the initial foothold to stage a secondary payload download, often calling out to publicly available and trusted-looking file or paste-sharing services to host the malicious artifact.
- A malicious script or binary on the compromised system initiates a download of a file from a well-known public file-sharing domain (e.g.,
githubusercontent.com,mega.nz,cdn.discordapp.com). - The downloaded file arrives with a suspicious scripting extension (such as
.bat,.cmd, or.ps1) and inherently creates an Alternate Data Stream (ADS) namedZone.Identifier, marking its origin from the internet. - The system records the creation of this file and its associated
Zone.Identifierstream, indicating an external download of potentially executable content. - The attacker then attempts to execute this downloaded script using a command and scripting interpreter (e.g., PowerShell, cmd.exe), often through a user interaction or an automated mechanism.
- Successful execution leads to the establishment of persistent access, full command and control capabilities, data exfiltration to attacker-controlled infrastructure, or the deployment of further malware such as ransomware.
Impact
If malicious script files downloaded from public file-sharing domains are executed, organizations face significant risks including full system compromise, network lateral movement, and data exfiltration. Attackers can leverage these initial access points to deploy ransomware, steal sensitive information, or disrupt critical operations. The use of legitimate services makes these attacks harder to detect at the network perimeter, increasing the likelihood of successful execution and subsequent damage. The impact often includes financial loss due to business disruption, regulatory fines, and reputational damage. While no specific victim numbers are available for this generic detection, such techniques are widely employed across various sectors by numerous threat actors.
Recommendation
- Deploy the Sigma rule "Unusual File Download From File Sharing Websites - File Stream" to your SIEM and tune for your environment to detect suspicious file downloads.
- Ensure Sysmon
EventID 15(FileStreamCreated) logging is enabled and collected for all Windows endpoints to activate the detection rule. - Investigate alerts generated by the rule for
TargetFilenamevalues ending in:Zonecombined with suspicious extensions (.bat,.cmd,.ps1) originating fromContentscontaining known file-sharing domains. - Educate users on the risks of downloading and executing files from untrusted sources, even if hosted on legitimate platforms, as these are frequently used in phishing and malware delivery schemes.
Detection coverage 1
Unusual File Download From File Sharing Websites - File Stream
mediumDetects the download of suspicious file types (batch, command, PowerShell scripts) from well-known public file and paste sharing domains by monitoring the creation of Zone.Identifier Alternate Data Streams.
Detection queries are available on the platform. Get full rules →