DNS Query To Put.io - DNS Client

    Monday, August 26, 2024 In: Threat Research Print

    Date: 08/26/2024

    Severity: Medium

    Summary

    Detects DNS queries for subdomains associated with the "Put.io" file-sharing website.

    Indicators of Compromise (IOC) List

    EventID

    3008

    QueryName

    'api.put.io'

    'upload.put.io'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourceName = "Sysmon"  AND eventtype = "3008"  ) AND queryname In ( "api.put.io" , "upload.put.io" )

    Detection Query 2

    (Technologygroup = "EDR" ) AND queryname In ( "api.put.io" , "upload.put.io" )

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/dns_client/win_dns_client_put_io.yml 

    https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure 


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.