Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Behavioral Analytics
  • Datamodel:
  • Last Updated: 2021-11-17
  • Author: Teoderick Contreras, Splunk
  • ID: b71ba595-ef80-4e39-8b66-887578a7a71b

Narrative

Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization’s data, systems, and/or daily business operations.

Detections

Name Technique Type
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal TTP
Deny Permission using Cacls Utility File and Directory Permissions Modification TTP
Fsutil Zeroing File Indicator Removal TTP
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification, File and Directory Permissions Modification TTP
High Frequency Copy Of Files In Network Share Transfer Data to Cloud Account Anomaly
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal Anomaly
Wevtutil Usage To Disable Logs Indicator Removal, Clear Windows Event Logs TTP

Reference

source | version: 1