Analytics Story: Collection and Staging

Description

Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data.

Why it matters

A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on. Attacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence. Use the searches to detect and monitor suspicious behavior related to these activities.

Detections

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	crowdstrike:events:sensor	crowdstrike
Sysmon EventID 1	Windows	xmlwineventlog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11	Windows	xmlwineventlog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688	Windows	xmlwineventlog	XmlWinEventLog:Security

References

• https://attack.mitre.org/wiki/Collection
• https://attack.mitre.org/wiki/Technique/T1074

Source: GitHub | Version: 2