DNS Query To Ufile.io - DNS Client
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
Sigma rule (View on GitHub)
1title: DNS Query To Ufile.io - DNS Client
2id: 090ffaad-c01a-4879-850c-6d57da98452d
3related:
4 - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
5 type: similar
6status: experimental
7description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
8references:
9 - https://thedfirreport.com/2021/12/13/diavol-ransomware/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/01/16
12modified: 2023/09/18
13tags:
14 - attack.exfiltration
15 - attack.t1567.002
16logsource:
17 product: windows
18 service: dns-client
19 definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
20detection:
21 selection:
22 EventID: 3008
23 QueryName|contains: 'ufile.io'
24 condition: selection
25falsepositives:
26 - DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take
27level: low
References
-
In this report, we observed threat actors deploy multiple Cobalt Strike DLL beacons, perform internal discovery using Windows utilities, execute lateral movement using AnyDesk and RDP, dump credentials multiple ways, exfiltrate data and deploy domain wide ransomware in as little as 42 hours from initial access.
Read More
Related rules
- DNS Query To MEGA Hosting Website
- DNS Query To MEGA Hosting Website - DNS Client
- DNS Query To Ufile.io
- Rclone Config File Creation
- WebDav Client Execution Via Rundll32.EXE