ID | Technique | Tactic |
---|---|---|
T1537 | Transfer Data to Cloud Account | Exfiltration |
Detection: High Frequency Copy Of Files In Network Share
Description
The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information.
Search
1`wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.doc","*.docx","*.xls","*.xlsx","*.ppt","*.pptx","*.log","*.txt","*.db","*.7z","*.zip","*.rar","*.tar","*.gz","*.jpg","*.gif","*.png","*.bmp","*.pdf","*.rtf","*.key") ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= "0x2"
2| bucket _time span=5m
3| stats values(RelativeTargetName) as valRelativeTargetName, values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress count as numShareName by dest, _time, EventCode, src_user, src_ip
4| eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, src_user
5| eval upperThreshold=(avgShareName + stdShareName *3)
6| eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0)
7| search isOutlier=1
8| `high_frequency_copy_of_files_in_network_share_filter`
Data Source
Name | Platform | Sourcetype | Source | Supported App |
---|---|---|---|---|
Windows Event Log Security 5145 | Windows | 'xmlwineventlog' |
'XmlWinEventLog:Security' |
N/A |
Macros Used
Name | Value |
---|---|
wineventlog_security | eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security |
high_frequency_copy_of_files_in_network_share_filter | search * |
high_frequency_copy_of_files_in_network_share_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | True |
Implementation
To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.
Known False Positives
This behavior may seen in normal transfer of file within network if network share is common place for sharing documents.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
High frequency copy of document into a network share from $src_ip$ by $src_user$ | 9 | 30 | 30 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3