-
Notifications
You must be signed in to change notification settings - Fork 391
/
Copy pathplain_http_post_exfiltrated_data.yml
69 lines (69 loc) · 3.18 KB
/
plain_http_post_exfiltrated_data.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Plain HTTP POST Exfiltrated Data
id: e2b36208-a364-11eb-8909-acde48001122
version: 6
date: '2025-02-10'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic detects potential data exfiltration using plain
HTTP POST requests. It leverages network traffic logs, specifically monitoring the
`stream_http` data source for POST methods containing suspicious form data such
as "wermgr.exe" or "svchost.exe". This activity is significant because it is commonly
associated with malware like Trickbot, trojans, keyloggers, or APT adversaries,
which use plain text HTTP POST requests to communicate with remote C2 servers. If
confirmed malicious, this activity could lead to unauthorized data exfiltration,
compromising sensitive information and potentially leading to further network infiltration.
data_source:
- Splunk Stream HTTP
search: '`stream_http` http_method=POST form_data IN ("*wermgr.exe*","*svchost.exe*",
"*name=\"proclist\"*","*ipconfig*", "*name=\"sysinfo\"*", "*net view*") |stats values(form_data)
as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip
dest_ip http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the stream HTTP logs or network logs that catch network traffic. Make
sure that the http-request-body, payload, or request field is enabled.
known_false_positives: unknown
references:
- https://blog.talosintelligence.com/2020/03/trickbot-primer.html
drilldown_searches:
- name: View the detection results for - "$src_ip$"
search: '%original_detection_search% | search src_ip = "$src_ip$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$")
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A http post $http_method$ sending packet with plain text of information
in uri path $uri_path$
risk_objects:
- field: src_ip
type: system
score: 63
threat_objects: []
tags:
analytic_story:
- Data Exfiltration
- Command And Control
asset_type: Endpoint
mitre_attack_id:
- T1048.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/plain_exfil_data/stream_http_events.log
source: stream
sourcetype: stream:http