DNS Query for Ufile.io Upload Domain
Detects DNS queries for subdomains used for upload to ufile.io
Sigma rule (View on GitHub)
1title: DNS Query for Ufile.io Upload Domain
2id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
3description: Detects DNS queries for subdomains used for upload to ufile.io
4status: experimental
5author: yatinwad and TheDFIRReport
6date: 2021-12-13
7modified: 2024-02-23
8references:
9 - https://thedfirreport.com/2021/12/13/diavol-ransomware/
10tags:
11 - attack.exfiltration
12 - attack.t1567.002
13logsource:
14 product: windows
15 service: dns_query
16detection:
17 dns_request:
18 QueryName|contains: ufile.io
19 condition: dns_request
20falsepositives:
21 - unknown
22level: high
References
-
In this report, we observed threat actors deploy multiple Cobalt Strike DLL beacons, perform internal discovery using Windows utilities, execute lateral movement using AnyDesk and RDP, dump credentials multiple ways, exfiltrate data and deploy domain wide ransomware in as little as 42 hours from initial access.
Read More
Related rules
- Rclone SMB Share Exfiltration
- PUA - Rclone Execution
- DNS Query for Anonfiles.com Domain - DNS Client
- DNS Query for Anonfiles.com Domain - Sysmon
- Rclone Activity via Proxy