Detectionlowtest

DNS Query To Ufile.io

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

yatinwad, TheDFIRReportCreated Thu Jun 23Updated Mon Sep 181cbbeaaf-3c8c-4e4c-9d72-49485b6a176bwindows

Log Source

WindowsDNS Query

ProductWindows← raw: windows

CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic

detection:
    selection:
        QueryName|contains: 'ufile.io'
    condition: selection

False Positives

DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take

References

MITRE ATT&CK

Tactics

Sub-techniques

Related Rules

DNS Query To Ufile.io - DNS Client

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b

Status

test

Level

low

Type

Detection

Created

Thu Jun 23

Modified

Mon Sep 18

Author

Path

rules/windows/dns_query/dns_query_win_ufile_io_query.yml

Raw Tags

attack.exfiltrationattack.t1567.002