Try in Splunk Security Cloud


Monitor for and investigate activities–such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example–that may indicate that an adversary is harvesting and exfiltrating sensitive data.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • Last Updated: 2020-02-03
  • Author: Rico Valdez, Splunk
  • ID: 8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a


A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on. Attacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence. Use the searches to detect and monitor suspicious behavior related to these activities.


Name Technique Type
Detect Renamed 7-Zip Archive via Utility, Archive Collected Data Hunting
Detect Renamed WinRAR Archive via Utility, Archive Collected Data Hunting
Email files written outside of the Outlook directory Email Collection, Local Email Collection TTP
Email servers sending high volume traffic to hosts Email Collection, Remote Email Collection Anomaly
Hosts receiving high volume of network traffic from email server Remote Email Collection, Email Collection Anomaly
Suspicious writes to System Volume Information Masquerading Hunting
Suspicious writes to windows Recycle Bin Masquerading TTP


source | version: 1