Try in Splunk Security Cloud

Description

The stealing of data by an adversary.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • Last Updated: 2020-10-21
  • Author: Shannon Davis, Splunk
  • ID: 66b0fe0c-1351-11eb-adc1-0242ac120002

Narrative

Exfiltration comes in many flavors. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command and Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.

Detections

Name Technique Type
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP
Detect shared ec2 snapshot Transfer Data to Cloud Account TTP
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
Gdrive suspicious file sharing Phishing Hunting
Mailsniper Invoke functions Email Collection, Local Email Collection TTP
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
O365 PST export alert Email Collection TTP
O365 Suspicious Admin Email Forwarding Email Forwarding Rule, Email Collection Anomaly
O365 Suspicious User Email Forwarding Email Forwarding Rule, Email Collection Anomaly
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP

Reference

source | version: 1