Splunk Data exfiltration from Analytics Workspace using sid query
|
Splunk
|
Exfiltration Over Web Service
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-25
|
AWS AMI Attribute Modification for Exfiltration
|
AWS CloudTrail ModifyImageAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-09
|
AWS EC2 Snapshot Shared Externally
|
AWS CloudTrail ModifySnapshotAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-07
|
AWS Exfiltration via Bucket Replication
|
AWS CloudTrail PutBucketReplication
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-05-11
|
AWS Exfiltration via EC2 Snapshot
|
AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-10
|
AWS S3 Exfiltration Behavior Identified
|
|
Transfer Data to Cloud Account
|
Correlation
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-13
|
Gsuite Drive Share In External Email
|
G Suite Drive
|
Exfiltration to Cloud Storage
Exfiltration Over Web Service
|
Anomaly
|
Dev Sec Ops, Insider Threat
|
2024-05-21
|
Gsuite Outbound Email With Attachment To External Domain
|
G Suite Gmail
|
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
|
Hunting
|
Dev Sec Ops, Insider Threat
|
2024-05-10
|
O365 DLP Rule Triggered
|
|
Exfiltration Over Alternative Protocol
Exfiltration Over Web Service
|
Anomaly
|
Data Exfiltration
|
2024-09-24
|
O365 Email Access By Security Administrator
|
|
Exfiltration Over Web Service
Email Collection
Remote Email Collection
|
TTP
|
Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover
|
2024-04-01
|
Clients Connecting to Multiple DNS Servers
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic
|
2024-08-15
|
Detect Long DNS TXT Record Response
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
Command And Control, Suspicious DNS Traffic
|
2024-08-15
|
Detection of DNS Tunnels
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
Command And Control, Data Protection, Suspicious DNS Traffic
|
2024-08-15
|
Detect RClone Command-Line Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Automated Exfiltration
|
TTP
|
DarkSide Ransomware, Ransomware
|
2024-08-15
|
Detect Renamed RClone
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Automated Exfiltration
|
Hunting
|
DarkSide Ransomware, Ransomware
|
2024-08-19
|
DNS Exfiltration Using Nslookup App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exfiltration Over Alternative Protocol
|
TTP
|
Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-08-15
|
Excessive Usage of NSLOOKUP App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exfiltration Over Alternative Protocol
|
Anomaly
|
Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-05-15
|
High Frequency Copy Of Files In Network Share
|
Windows Event Log Security 5145
|
Transfer Data to Cloud Account
|
Anomaly
|
Information Sabotage, Insider Threat
|
2024-05-26
|
Linux Auditd Data Transfer Size Limits Via Split
|
Linux Auditd Execve
|
Data Transfer Size Limits
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Data Transfer Size Limits Via Split Syscall
|
Linux Auditd Syscall
|
Data Transfer Size Limits
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
Ingress Tool Transfer
Exfiltration Over Web Service
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-09-24
|
Windows Exfiltration Over C2 Via Invoke RestMethod
|
Powershell Script Block Logging 4104
|
Exfiltration Over C2 Channel
|
TTP
|
Winter Vivern
|
2024-05-21
|
Windows Exfiltration Over C2 Via Powershell UploadString
|
Powershell Script Block Logging 4104
|
Exfiltration Over C2 Channel
|
TTP
|
Winter Vivern
|
2024-05-27
|
Windows Rundll32 WebDAV Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2024-08-15
|
Windows Rundll32 WebDav With Network Connection
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2024-08-15
|
Detect DNS Data Exfiltration using pretrained model in DSDL
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2024-05-22
|
Detect SNICat SNI Exfiltration
|
|
Exfiltration Over C2 Channel
|
TTP
|
Data Exfiltration
|
2024-05-21
|
Detect Traffic Mirroring
|
|
Hardware Additions
Automated Exfiltration
Network Denial of Service
Traffic Duplication
|
TTP
|
Router and Infrastructure Security
|
2024-08-14
|
DNS Query Length With High Standard Deviation
|
Sysmon EventID 22
|
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2024-05-15
|
High Volume of Bytes Out to Url
|
Nginx Access
|
Exfiltration Over Web Service
|
Anomaly
|
Data Exfiltration
|
2024-05-24
|
Multiple Archive Files Http Post Traffic
|
Splunk Stream HTTP
|
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
|
TTP
|
Command And Control, Data Exfiltration
|
2024-05-16
|
Plain HTTP POST Exfiltrated Data
|
Splunk Stream HTTP
|
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
|
TTP
|
Command And Control, Data Exfiltration
|
2024-05-26
|
Prohibited Network Traffic Allowed
|
|
Exfiltration Over Alternative Protocol
|
TTP
|
Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2024-05-11
|
Protocol or Port Mismatch
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
|
Anomaly
|
Command And Control, Prohibited Traffic Allowed or Protocol Mismatch
|
2024-05-29
|