Detectionlowtest

DNS Query To Ufile.io - DNS Client

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Mon Jan 16Updated Mon Sep 18090ffaad-c01a-4879-850c-6d57da98452dwindows

Log Source

Windowsdns-client

ProductWindows← raw: windows

Servicedns-client← raw: dns-client

Definition

Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.

Detection Logic

detection:
    selection:
        EventID: 3008
        QueryName|contains: 'ufile.io'
    condition: selection

False Positives

DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take

References

MITRE ATT&CK

Tactics

Sub-techniques

Related Rules

DNS Query To Ufile.io

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

090ffaad-c01a-4879-850c-6d57da98452d

Status

test

Level

low

Type

Detection

Created

Mon Jan 16

Modified

Mon Sep 18

Author

Path

rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml

Raw Tags

attack.exfiltrationattack.t1567.002