Detecting data exfiltration activities
When attackers are looking to identify and exfiltrate data from a target organization, they carry out attacks which contain three main activities: identification, collection, and staging data for exfiltration.
- Identification includes scanning systems and observing user activity.
- Collection includes the transfer of large amounts of data from various repositories.
- Staging, or preparation, includes moving data to a central location and compressing it, also optionally encoding or encrypting it.
These searches allow you to detect and monitor suspicious behavior related to these activities.
How to use Splunk software for this use case
- DNS exfiltration using NSLOOKUP app
- Excessive usage of NSLOOKUP app
- High volume of bytes out to Url
- Linux Curl upload file
- Mailsniper invoke functions
- Multiple archive files http post traffic
- Plain HTTP POST exfiltrated data
Exfiltration from AWS
- AWS AMI Attribute Modification for Exfiltration
- AWS Disable Bucket Versioning
- AWS EC2 Snapshot Shared Externally
- AWS Exfiltration via Anomalous GetObject API Activity
- AWS Exfiltration via Batch Service
- AWS Exfiltration via Bucket Replication
- AWS Exfiltration via DataSync Task
- AWS Exfiltration via EC2 Snapshot
Exfiltration from Google
Exfiltration from O365
- O365 Application Available To Other Tenants
- O365 DLP Rule Triggered
- O365 Email Access By Security Administrator
- O365 PST export alert
- Detect Certipy File Modifications
- Next steps
In addition, these Splunk resources might help you understand and implement this use case:
- Blog: Threat Hunting with Splunk: Hands-on Tutorials for the Active Hunter
- If you are a Splunk Enterprise Security customer, you can also get help from the Security Research team's support options on GitHub.