| ID | Technique | Tactic |
|---|---|---|
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1530 | Data from Cloud Storage | Collection |
Detection: O365 Exfiltration via File Download
Description
The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts.
Search
1`o365_management_activity` Operation IN ("filedownloaded")
2
3| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
4
5| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
6
7| rename SiteUrl as file_path,Workload as app
8
9| where count > 50
10
11| `security_content_ctime(firstTime)`
12
13| `security_content_ctime(lastTime)`
14
15| `o365_exfiltration_via_file_download_filter`
Data Source
No data sources specified for this detection.
Macros Used
| Name | Value |
|---|---|
| o365_management_activity | sourcetype=o365:management:activity |
| o365_exfiltration_via_file_download_filter | search * |
o365_exfiltration_via_file_download_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Actions on Objectives
Exploitation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Known False Positives
It is possible that certain file download scenarios may trigger this alert, specifically OneDrive syncing. Adjust threshold and filtering as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 25 | src |
References
-
https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data
-
https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | o365 |
o365:management:activity |
| Integration | ✅ Passing | Dataset | o365 |
o365:management:activity |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1