DNS Query To Ufile.io - DNS Client

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Sigma rule (View on GitHub)

 1title: DNS Query To Ufile.io - DNS Client
 2id: 090ffaad-c01a-4879-850c-6d57da98452d
 3related:
 4    - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
 5      type: similar
 6status: test
 7description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
 8references:
 9    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-16
12modified: 2023-09-18
13tags:
14    - attack.exfiltration
15    - attack.t1567.002
16logsource:
17    product: windows
18    service: dns-client
19    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
20detection:
21    selection:
22        EventID: 3008
23        QueryName|contains: 'ufile.io'
24    condition: selection
25falsepositives:
26    - DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take
27level: low

References

Related rules

to-top