Analytics Story: Collection and Staging

Description

Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data.

Why it matters

A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on. Attacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence. Use the searches to detect and monitor suspicious behavior related to these activities.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Email files written outside of the Outlook directory Email Collection, Local Email Collection TTP
Email servers sending high volume traffic to hosts Email Collection, Remote Email Collection Anomaly
Suspicious writes to System Volume Information Masquerading Hunting
Detect Renamed 7-Zip Archive via Utility, Archive Collected Data Hunting
Detect Renamed WinRAR Archive via Utility, Archive Collected Data Hunting
Suspicious writes to windows Recycle Bin Masquerading TTP
Hosts receiving high volume of network traffic from email server Remote Email Collection, Email Collection Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 2