This detection rule monitors for DNS queries to specific Put.io subdomains, such as 'api.put.io' and 'upload.put.io'. The rule applies to Microsoft-Windows DNS Client events, specifically targeting Event ID 3008, which corresponds to DNS query events logged by the DNS client service. The logic used in this rule consists of a selection that checks for the presence of these subdomains in DNS queries, indicating potential command-and-control (C2) activity related to data exfiltration or service abuse. Detection requires that the DNS Client operational event logging is enabled and actively collected. False positives may arise from legitimate usage of the Put.io service, making it essential for security operations teams to evaluate the context of such queries carefully. As this rule is classified as experimental, it is subject to adjustments based on its performance in real-world applications, and further tuning may be required following operational reviews and feedback. Continuous monitoring of threats associated with sharing platforms is vital in maintaining an organization's security posture.