This detection rule focuses on identifying DNS queries for the domain 'anonfiles.com', a platform commonly associated with the anonymous upload and sharing of files, often used for malicious purposes. The rule particularly looks for events where the DNS client (on Windows systems) generates a query that contains '.anonfiles.com'. It utilizes the Windows DNS Client operational log, specifically targeting Event ID 3008, indicating a DNS query. The rule is marked with a high severity level due to the potential security implications of users accessing this domain, which is typically associated with exfiltration of sensitive data or deployment of malware. The requirement for this rule to function is that the Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled and events collected. A known false positive scenario includes rare legitimate accesses to the Anonfiles domain, which should be considered during rule implementation and monitoring.