Data Exfiltration

Description

The stealing of data by an adversary.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel: Endpoint, Endpoint_Processes, Network_Traffic
Last Updated: 2020-10-21
Author: Shannon Davis, Splunk
ID: 66b0fe0c-1351-11eb-adc1-0242ac120002

Narrative

Exfiltration comes in many flavors. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command and Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.

Detections

Name	Technique	Type
DNS Exfiltration Using Nslookup App	Exfiltration Over Alternative Protocol	TTP
DNS Exfiltration Using Nslookup App	Exfiltration Over Alternative Protocol	TTP
Detect SNICat SNI Exfiltration	Exfiltration Over C2 Channel	TTP
Detect shared ec2 snapshot	Transfer Data to Cloud Account	TTP
Excessive Usage of NSLOOKUP App	Exfiltration Over Alternative Protocol	Anomaly
Gdrive suspicious file sharing	Phishing	Hunting
Linux Curl Upload File	Ingress Tool Transfer	TTP
Mailsniper Invoke functions	Email Collection, Local Email Collection	TTP
Multiple Archive Files Http Post Traffic	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	TTP
O365 PST export alert	Email Collection	TTP
O365 Suspicious Admin Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
O365 Suspicious User Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
Plain HTTP POST Exfiltrated Data	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	TTP

Reference

https://attack.mitre.org/tactics/TA0010/

source | version: 1

Twitter Facebook LinkedIn