Data Exfiltration

Try in Splunk Security Cloud

Description

Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Resolution, Risk
• Last Updated: 2023-05-17
• Author: Bhavin Patel, Shannon Davis, Splunk
• ID: 66b0fe0c-1351-11eb-adc1-0242ac120002

Narrative

This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.
Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.

Detections

Name	Technique	Type
AWS AMI Atttribute Modification for Exfiltration	Transfer Data to Cloud Account	TTP
AWS Disable Bucket Versioning	Inhibit System Recovery	Anomaly
AWS EC2 Snapshot Shared Externally	Transfer Data to Cloud Account	TTP
AWS Exfiltration via Anomalous GetObject API Activity	Automated Collection	Anomaly
AWS Exfiltration via Batch Service	Automated Collection	TTP
AWS Exfiltration via Bucket Replication	Transfer Data to Cloud Account	TTP
AWS Exfiltration via DataSync Task	Automated Collection	TTP
AWS Exfiltration via EC2 Snapshot	Transfer Data to Cloud Account	TTP
AWS S3 Exfiltration Behavior Identified	Transfer Data to Cloud Account	Correlation
DNS Exfiltration Using Nslookup App	Exfiltration Over Alternative Protocol	TTP
DNS Exfiltration Using Nslookup App	Exfiltration Over Alternative Protocol	TTP
Detect DGA domains using pretrained model in DSDL	Domain Generation Algorithms	Anomaly
Detect SNICat SNI Exfiltration	Exfiltration Over C2 Channel	TTP
Excessive Usage of NSLOOKUP App	Exfiltration Over Alternative Protocol	Anomaly
Gdrive suspicious file sharing	Phishing	Hunting
Linux Curl Upload File	Ingress Tool Transfer	TTP
Mailsniper Invoke functions	Email Collection, Local Email Collection	TTP
Multiple Archive Files Http Post Traffic	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	TTP
O365 PST export alert	Email Collection	TTP
O365 Suspicious Admin Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
O365 Suspicious User Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
Plain HTTP POST Exfiltrated Data	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	TTP

Reference

• https://attack.mitre.org/tactics/TA0010/
• https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436
• https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a

source | version: 2