DNS Query To Ufile.io
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
Sigma rule (View on GitHub)
1title: DNS Query To Ufile.io
2id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
3related:
4 - id: 090ffaad-c01a-4879-850c-6d57da98452d
5 type: similar
6status: experimental
7description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
8references:
9 - https://thedfirreport.com/2021/12/13/diavol-ransomware/
10author: yatinwad, TheDFIRReport
11date: 2022/06/23
12modified: 2023/09/18
13tags:
14 - attack.exfiltration
15 - attack.t1567.002
16logsource:
17 product: windows
18 category: dns_query
19detection:
20 selection:
21 QueryName|contains: 'ufile.io'
22 condition: selection
23falsepositives:
24 - DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take
25level: low
References
-
In this report, we observed threat actors deploy multiple Cobalt Strike DLL beacons, perform internal discovery using Windows utilities, execute lateral movement using AnyDesk and RDP, dump credentials multiple ways, exfiltrate data and deploy domain wide ransomware in as little as 42 hours from initial access.
Read More
Related rules
- DNS Query To MEGA Hosting Website
- DNS Query To MEGA Hosting Website - DNS Client
- DNS Query To Ufile.io - DNS Client
- Rclone Config File Creation
- WebDav Client Execution Via Rundll32.EXE