{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/delivery/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["file-download","delivery","windows","defense-evasion","command-and-control","execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief focuses on a behavioral detection designed to identify suspicious file downloads from public file and paste sharing websites. Attackers frequently leverage legitimate services like GitHub, Mega.nz, Pastebin, or Discord to host malicious payloads, command and control configurations, or exfiltrated data. This method allows them to bypass traditional network filtering and evade detection by blending in with legitimate traffic. The detection specifically targets files with common scripting extensions (\u003ccode\u003e.bat\u003c/code\u003e, \u003ccode\u003e.cmd\u003c/code\u003e, \u003ccode\u003e.ps1\u003c/code\u003e) that also carry the \u003ccode\u003eZone.Identifier\u003c/code\u003e Alternate Data Stream, a Windows mechanism indicating a file's origin from the internet. The presence of this stream on executable or script files downloaded from untrusted public sources is a strong indicator of potential malicious activity, such as the delivery of initial access payloads, second-stage malware, or tools for persistence. Defenders should be aware that such downloads are often precursors to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved, potentially via a phishing campaign, compromised legitimate software, or exploitation of a vulnerable internet-facing application, granting the attacker initial execution capabilities on a target system.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the initial foothold to stage a secondary payload download, often calling out to publicly available and trusted-looking file or paste-sharing services to host the malicious artifact.\u003c/li\u003e\n\u003cli\u003eA malicious script or binary on the compromised system initiates a download of a file from a well-known public file-sharing domain (e.g., \u003ccode\u003egithubusercontent.com\u003c/code\u003e, \u003ccode\u003emega.nz\u003c/code\u003e, \u003ccode\u003ecdn.discordapp.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe downloaded file arrives with a suspicious scripting extension (such as \u003ccode\u003e.bat\u003c/code\u003e, \u003ccode\u003e.cmd\u003c/code\u003e, or \u003ccode\u003e.ps1\u003c/code\u003e) and inherently creates an Alternate Data Stream (ADS) named \u003ccode\u003eZone.Identifier\u003c/code\u003e, marking its origin from the internet.\u003c/li\u003e\n\u003cli\u003eThe system records the creation of this file and its associated \u003ccode\u003eZone.Identifier\u003c/code\u003e stream, indicating an external download of potentially executable content.\u003c/li\u003e\n\u003cli\u003eThe attacker then attempts to execute this downloaded script using a command and scripting interpreter (e.g., PowerShell, cmd.exe), often through a user interaction or an automated mechanism.\u003c/li\u003e\n\u003cli\u003eSuccessful execution leads to the establishment of persistent access, full command and control capabilities, data exfiltration to attacker-controlled infrastructure, or the deployment of further malware such as ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf malicious script files downloaded from public file-sharing domains are executed, organizations face significant risks including full system compromise, network lateral movement, and data exfiltration. Attackers can leverage these initial access points to deploy ransomware, steal sensitive information, or disrupt critical operations. The use of legitimate services makes these attacks harder to detect at the network perimeter, increasing the likelihood of successful execution and subsequent damage. The impact often includes financial loss due to business disruption, regulatory fines, and reputational damage. While no specific victim numbers are available for this generic detection, such techniques are widely employed across various sectors by numerous threat actors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Unusual File Download From File Sharing Websites - File Stream\u0026quot; to your SIEM and tune for your environment to detect suspicious file downloads.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon \u003ccode\u003eEventID 15\u003c/code\u003e (FileStreamCreated) logging is enabled and collected for all Windows endpoints to activate the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the rule for \u003ccode\u003eTargetFilename\u003c/code\u003e values ending in \u003ccode\u003e:Zone\u003c/code\u003e combined with suspicious extensions (\u003ccode\u003e.bat\u003c/code\u003e, \u003ccode\u003e.cmd\u003c/code\u003e, \u003ccode\u003e.ps1\u003c/code\u003e) originating from \u003ccode\u003eContents\u003c/code\u003e containing known file-sharing domains.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of downloading and executing files from untrusted sources, even if hosted on legitimate platforms, as these are frequently used in phishing and malware delivery schemes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:05:16Z","date_published":"2026-07-03T15:05:16Z","id":"https://feed.craftedsignal.io/briefs/2026-07-unusual-file-download-file-stream/","summary":"This brief details the detection of suspicious file types (batch, command, PowerShell scripts) downloaded from well-known public file and paste sharing domains, leveraging the `Zone.Identifier` Alternate Data Stream to signal potential malware delivery or covert data transfer, which could lead to system compromise and data exfiltration.","title":"Unusual File Download From File Sharing Websites - File Stream","url":"https://feed.craftedsignal.io/briefs/2026-07-unusual-file-download-file-stream/"}],"language":"en","title":"CraftedSignal Threat Feed - Delivery","version":"https://jsonfeed.org/version/1.1"}