Detectionhightest

DNS Query for Anonfiles.com Domain - DNS Client

Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Mon Jan 1629f171d7-aa47-42c7-9c7b-3c87938164d9windows

Log Source

Windowsdns-client

ProductWindows← raw: windows

Servicedns-client← raw: dns-client

Definition

Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.

Detection Logic

detection:
    selection:
        EventID: 3008
        QueryName|contains: '.anonfiles.com'
    condition: selection

False Positives

Rare legitimate access to anonfiles.com

References

MITRE ATT&CK

Tactics

Sub-techniques

Related Rules

DNS Query for Anonfiles.com Domain - Sysmon

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

29f171d7-aa47-42c7-9c7b-3c87938164d9

Status

test

Level

high

Type

Detection

Created

Mon Jan 16

Author

Path

rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml

Raw Tags

attack.exfiltrationattack.t1567.002