Collection and Staging
Description
Monitor for and investigate activities–such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example–that may indicate that an adversary is harvesting and exfiltrating sensitive data.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Network_Traffic
- Last Updated: 2020-02-03
- Author: Rico Valdez, Splunk
- ID: 8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a
Narrative
A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on. Attacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence. Use the searches to detect and monitor suspicious behavior related to these activities.
Detections
Reference
source | version: 1