DNS Query To Put.io - DNS Client

 1title: DNS Query To Put.io - DNS Client
 2id: 8b69fd42-9dad-4674-abef-7fdef43ef92a
 3status: experimental
 4description: Detects DNS queries for subdomains related to "Put.io" sharing website.
 5references:
 6    - https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
 7author: Omar Khaled (@beacon_exe)
 8date: 2024-08-23
 9tags:
10    - attack.command-and-control
11logsource:
12    product: windows
13    service: dns-client
14    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
15detection:
16    selection:
17        EventID: 3008
18        QueryName|contains:
19            - 'api.put.io'
20            - 'upload.put.io'
21    condition: selection
22falsepositives:
23    - Legitimate DNS queries and usage of Put.io
24level: medium

References

• Medusa Ransomware Group’s OPSEC Failure: Infiltrating Their Cloud Storage | Blog | Dark Atlas | Dark Web Monitoring Platform | Compromised Credentials Monitoring | Account Takeover Prevention Platform | Threat Intelligence | Buguard

  

  <p>Dark Atlas Squad recently responded to a ransomware incident carried out by Medusa Ransomware Group. Their OPSEC failure allowed us to infiltrate their cloud account for a certain amount of time and access the data they had been exfiltrating over time.</p>

  
  Read More

Related rules

• Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
• Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
• New Connection Initiated To Potential Dead Drop Resolver Domain
• ADSI-Cache File Creation By Uncommon Tool
• APT User Agent