Try in Splunk Security Cloud

Description

The stealing of data by an adversary.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • Last Updated: 2020-10-21
  • Author: Shannon Davis, Splunk
  • ID: 66b0fe0c-1351-11eb-adc1-0242ac120002

Narrative

Exfiltration comes in many flavors. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command and Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.

Detections

Name Technique Type
Detect shared ec2 snapshot Transfer Data to Cloud Account TTP
O365 PST export alert Email Collection TTP
O365 Suspicious Admin Email Forwarding Email Forwarding Rule, Email Collection Anomaly
O365 Suspicious User Email Forwarding Email Forwarding Rule, Email Collection Anomaly
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
Mailsniper Invoke functions Email Collection, Local Email Collection TTP
Gdrive suspicious file sharing Phishing Hunting
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP

Reference

source | version: 1