Query Details

Rule : Detection of Data Exfiltration to Bublup.com

Black Suitbublupexfil

Query

DeviceNetworkEvents
| where RemoteUrl contains "bublup.com"

About this query

Explanation

This query is designed to detect potential data theft by monitoring network activity for connections to the website bublup.com. Bublup is a legitimate file-sharing platform, but it has been misused by cybercriminals, including the BlackSuit ransomware group, to upload stolen data. The query looks for any network events where the URL includes "bublup.com," as such connections are rare in business settings and could indicate malicious activity, especially if they occur outside normal business operations. The goal is to identify suspicious network behavior that might suggest data is being prepared for or is in the process of being exfiltrated.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 9, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteUrl

Operators

wherecontains

Actions

GitHub