Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
status testauthor Nasreddine Bencherchali (Nextron Systems)id 29f171d7-aa47-42c7-9c7b-3c87938164d9
view Sigma YAML
title: DNS Query for Anonfiles.com Domain - DNS Client
id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
related:
- id: 065cceea-77ec-4030-9052-fc0affea7110
type: similar
status: test
description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: '.anonfiles.com'
condition: selection
falsepositives:
- Rare legitimate access to anonfiles.com
level: high
high
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
status testauthor pH-T (Nextron Systems)id 065cceea-77ec-4030-9052-fc0affea7110
view Sigma YAML
title: DNS Query for Anonfiles.com Domain - Sysmon
id: 065cceea-77ec-4030-9052-fc0affea7110
related:
- id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
type: similar
status: test
description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-01-16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: '.anonfiles.com'
condition: selection
falsepositives:
- Rare legitimate access to anonfiles.com
level: high
high
PUA - Rclone Execution
Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
title: PUA - Rclone Execution
id: e37db05d-d1f9-49c8-b464-cee1a4b11638
related:
- id: a0d63692-a531-4912-ad39-4393325b2a9c
type: obsolete
- id: cb7286ba-f207-44ab-b9e6-760d82b84253
type: obsolete
status: test
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-10
modified: 2023-03-05
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: process_creation
detection:
selection_specific_options:
CommandLine|contains|all:
- '--config '
- '--no-check-certificate '
- ' copy '
selection_rclone_img:
- Image|endswith: '\rclone.exe'
- Description: 'Rsync for cloud storage'
selection_rclone_cli:
CommandLine|contains:
- 'pass'
- 'user'
- 'copy'
- 'sync'
- 'config'
- 'lsd'
- 'remote'
- 'ls'
- 'mega'
- 'pcloud'
- 'ftp'
- 'ignore-existing'
- 'auto-confirm'
- 'transfers'
- 'multi-thread-streams'
- 'no-check-certificate '
condition: selection_specific_options or all of selection_rclone_*
falsepositives:
- Unknown
level: high
high
PUA - Restic Backup Tool Execution
Detects the execution of the Restic backup tool, which can be used for data exfiltration.
Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.
If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
status experimentalauthor Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)id 6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7
view Sigma YAML
title: PUA - Restic Backup Tool Execution
id: 6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7
status: experimental
description: |
Detects the execution of the Restic backup tool, which can be used for data exfiltration.
Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.
If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
references:
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
- https://restic.net/
- https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html
author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-17
tags:
- attack.exfiltration
- attack.t1048
- attack.t1567.002
logsource:
product: windows
category: process_creation
detection:
selection_specific:
- CommandLine|contains|all:
- '--password-file'
- 'init'
- ' -r '
- CommandLine|contains|all:
- '--use-fs-snapshot'
- 'backup'
- ' -r '
selection_restic:
CommandLine|contains:
- 'sftp:'
- 'rest:http'
- 's3:s3.'
- 's3.http'
- 'azure:'
- ' gs:'
- 'rclone:'
- 'swift:'
- ' b2:'
CommandLine|contains|all:
- ' init '
- ' -r '
condition: 1 of selection_*
falsepositives:
- Legitimate use of Restic for backup purposes within the organization.
level: high
high
Suspicious Dropbox API Usage
Detects an executable that isn't dropbox but communicates with the Dropbox API
status testauthor Florian Roth (Nextron Systems)id 25eabf56-22f0-4915-a1ed-056b8dae0a68
view Sigma YAML
title: Suspicious Dropbox API Usage
id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
status: test
description: Detects an executable that isn't dropbox but communicates with the Dropbox API
references:
- https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
- https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
author: Florian Roth (Nextron Systems)
date: 2022-04-20
tags:
- attack.command-and-control
- attack.exfiltration
- attack.t1105
- attack.t1567.002
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- 'api.dropboxapi.com'
- 'content.dropboxapi.com'
filter_main_legit_dropbox:
# Note: It's better to add a specific path to the exact location(s) where dropbox is installed
Image|contains: '\Dropbox'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate use of the API with a tool that the author wasn't aware of
level: high
medium
DNS Query To MEGA Hosting Website
Detects DNS queries for subdomains related to MEGA sharing website
status testauthor Aaron Greetham (@beardofbinary) - NCC Groupid 613c03ba-0779-4a53-8a1f-47f914a4ded3
view Sigma YAML
title: DNS Query To MEGA Hosting Website
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
related:
- id: 66474410-b883-415f-9f8d-75345a0a66a6
type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-26
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: 'userstorage.mega.co.nz'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Mega
level: medium
medium
DNS Query To MEGA Hosting Website - DNS Client
Detects DNS queries for subdomains related to MEGA sharing website
status testauthor Nasreddine Bencherchali (Nextron Systems)id 66474410-b883-415f-9f8d-75345a0a66a6
view Sigma YAML
title: DNS Query To MEGA Hosting Website - DNS Client
id: 66474410-b883-415f-9f8d-75345a0a66a6
related:
- id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: 'userstorage.mega.co.nz'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Mega
level: medium
medium
Rclone Activity via Proxy
Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
status testauthor Janantha Marasingheid 2c03648b-e081-41a5-b9fb-7d854a915091
view Sigma YAML
title: Rclone Activity via Proxy
id: 2c03648b-e081-41a5-b9fb-7d854a915091
status: test
description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
references:
- https://rclone.org/
- https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
author: Janantha Marasinghe
date: 2022-10-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'rclone/v'
condition: selection
falsepositives:
- Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
level: medium
medium
Rclone Config File Creation
Detects Rclone config files being created
status testauthor Aaron Greetham (@beardofbinary) - NCC Groupid 34986307-b7f4-49be-92f3-e7a4d01ac5db
view Sigma YAML
title: Rclone Config File Creation
id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
status: test
description: Detects Rclone config files being created
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-26
modified: 2023-05-09
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains|all:
- ':\Users\'
- '\.config\rclone\'
condition: selection
falsepositives:
- Legitimate Rclone usage
level: medium
low
DNS Query To Ufile.io
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
status testauthor yatinwad, TheDFIRReportid 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
view Sigma YAML
title: DNS Query To Ufile.io
id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
related:
- id: 090ffaad-c01a-4879-850c-6d57da98452d
type: similar
status: test
description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
author: yatinwad, TheDFIRReport
date: 2022-06-23
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: 'ufile.io'
condition: selection
falsepositives:
- DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take
level: low
low
DNS Query To Ufile.io - DNS Client
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
status testauthor Nasreddine Bencherchali (Nextron Systems)id 090ffaad-c01a-4879-850c-6d57da98452d
view Sigma YAML
title: DNS Query To Ufile.io - DNS Client
id: 090ffaad-c01a-4879-850c-6d57da98452d
related:
- id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
type: similar
status: test
description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: 'ufile.io'
condition: selection
falsepositives:
- DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take
level: low
low
Network Connection Initiated To Mega.nz
Detects a network connection initiated by a binary to "api.mega.co.nz".
Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
status testauthor Florian Roth (Nextron Systems)id fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
view Sigma YAML
title: Network Connection Initiated To Mega.nz
id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
status: test
description: |
Detects a network connection initiated by a binary to "api.mega.co.nz".
Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
references:
- https://megatools.megous.com/
- https://www.mandiant.com/resources/russian-targeting-gov-business
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2024-05-31
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- 'mega.co.nz'
- 'mega.nz'
condition: selection
falsepositives:
- Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.
level: low