| ID | Technique | Tactic |
|---|---|---|
| T1530 | Data from Cloud Storage | Collection |
| T1567 | Exfiltration Over Web Service | Exfiltration |
Detection: O365 Exfiltration via File Download
Description
The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts.
Search
1`o365_management_activity` Operation IN ("filedownloaded")
2
3| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
4
5| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
6
7| rename SiteUrl as file_path,Workload as app
8
9| where count > 50
10
11| `security_content_ctime(firstTime)`
12
13| `security_content_ctime(lastTime)`
14
15| `o365_exfiltration_via_file_download_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Office 365 Universal Audit Log | Other | 'o365:management:activity' |
'o365' |
Macros Used
| Name | Value |
|---|---|
| o365_management_activity | sourcetype=o365:management:activity |
| o365_exfiltration_via_file_download_filter | search * |
o365_exfiltration_via_file_download_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Actions on Objectives
Exploitation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.
Implementation
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Known False Positives
It is possible that certain file download scenarios may trigger this alert, specifically OneDrive syncing. Adjust threshold and filtering as needed.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ | user | user | 20 |
Threat Objects
| Field | Type |
|---|---|
| src | ip_address |
References
-
https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/
-
https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | o365 |
o365:management:activity |
| Integration | ✅ Passing | Dataset | o365 |
o365:management:activity |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 6