DNS Query for Ufile.io Upload Domain

calendar Feb 23, 2024 · attack.exfiltration attack.t1567.002  ·
Share on: linkedin copy

Detects DNS queries for subdomains used for upload to ufile.io

Sigma rule (View on GitHub)

 1title: DNS Query for Ufile.io Upload Domain
 2id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
 3description: Detects DNS queries for subdomains used for upload to ufile.io
 4status: experimental
 5author: yatinwad and TheDFIRReport
 6date: 2021-12-13
 7modified: 2024-02-23
 8references:
 9    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
10tags:
11    - attack.exfiltration
12    - attack.t1567.002
13logsource:
14    product: windows
15    service: dns_query
16detection:
17    dns_request:
18        QueryName|contains: ufile.io
19    condition: dns_request
20falsepositives:
21    - unknown
22level: high

References

  • Diavol Ransomware

    In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Di…


    Read More

Related rules

to-top