Rule : Detection of Data Exfiltration to Bublup.com
Black Suitbublupexfil
Query
DeviceNetworkEvents
| where RemoteUrl contains "bublup.com"About this query
Explanation
This query is designed to detect potential data theft by monitoring network activity for connections to the website bublup.com. Bublup is a legitimate file-sharing platform, but it has been misused by cybercriminals, including the BlackSuit ransomware group, to upload stolen data. The query looks for any network events where the URL includes "bublup.com," as such connections are rare in business settings and could indicate malicious activity, especially if they occur outside normal business operations. The goal is to identify suspicious network behavior that might suggest data is being prepared for or is in the process of being exfiltrated.
Details

Ali Hussein
Released: April 9, 2025
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsRemoteUrl
Operators
wherecontains