| ID | Technique | Tactic |
|---|---|---|
| T1567 | Exfiltration Over Web Service | Exfiltration |
Detection: High Volume of Bytes Out to Url
Description
The following analytic detects a high volume of outbound web traffic, specifically over 1GB of data sent to a URL within a 2-minute window. It leverages the Web data model to identify significant uploads by analyzing the sum of bytes out. This activity is significant as it may indicate potential data exfiltration by malware or malicious insiders. If confirmed as malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and loss of sensitive information. Immediate investigation is required to determine the legitimacy of the transfer and mitigate any potential threats.
Search
1
2| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype
3| search sum_bytes_out > 1070000000
4| `drop_dm_object_name("Web")`
5| `high_volume_of_bytes_out_to_url_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| Nginx Access | N/A | 'nginx:plus:kv' |
'/var/log/nginx/access.log' |
N/A |
Macros Used
| Name | Value |
|---|---|
| security_content_summariesonly | summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config`` |
| high_volume_of_bytes_out_to_url_filter | search * |
high_volume_of_bytes_out_to_url_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.ACTIONS_ON_OBJECTIVES
NistCategory.DE_AE
Cis18Value.CIS_13
APT28
Magic Hound
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the Web datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior.
Known False Positives
This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$. | 9 | 30 | 30 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | /var/log/nginx/access.log |
nginx:plus:kv |
| Integration | ✅ Passing | Dataset | /var/log/nginx/access.log |
nginx:plus:kv |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2