security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/dns_query/dns_query_win_ufile_io.yml
T
Nasreddine Bencherchali 85fb255bc9 feat: new rules and updates
2023-01-17 01:00:44 +01:00

26 lines
724 B
YAML
Raw Blame History

title: DNS Query for Ufile.io Upload Domain - Sysmon
id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
related:
- id: 090ffaad-c01a-4879-850c-6d57da98452d
type: similar
status: experimental
description: Detects DNS queries to "ufile.io". Which is often abused by malware for upload and exfiltration
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
author: yatinwad and TheDFIRReport
date: 2022/06/23
modified: 2023/01/16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: 'ufile.io'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Ufile
level: high
Reference in New Issue View Git Blame Copy Permalink