DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Sigma rule (View on GitHub)
1title: DNS Query for Anonfiles.com Domain - DNS Client
2id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
3related:
4 - id: 065cceea-77ec-4030-9052-fc0affea7110
5 type: similar
6status: test
7description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
8references:
9 - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/01/16
12tags:
13 - attack.exfiltration
14 - attack.t1567.002
15logsource:
16 product: windows
17 service: dns-client
18 definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
19detection:
20 selection:
21 EventID: 3008
22 QueryName|contains: '.anonfiles.com'
23 condition: selection
24falsepositives:
25 - Rare legitimate access to anonfiles.com
26level: high
References
-
BlackByte is a ransomware group that has been building a name for itself since 2021. Like its contemporaries, it has gone after critical infrastructure for a higher chance of getting a payout. What techniques sets it apart?
Read More
Related rules
- DNS Query for Anonfiles.com Domain - Sysmon
- Rclone Activity via Proxy
- DNS Query To MEGA Hosting Website
- DNS Query To MEGA Hosting Website - DNS Client
- DNS Query To Ufile.io