Analytics Story: Data Exfiltration
Description
Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.
Why it matters
This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.
Correlation Search
1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = "collection" OR All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS CloudTrail CreateSnapshot |  AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail CreateTask | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DeleteSnapshot | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail GetObject | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail JobCreated | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail ModifyImageAttribute | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail ModifySnapshotAttribute | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail PutBucketReplication | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail PutBucketVersioning | AWS |
aws:cloudtrail |
aws_cloudtrail |
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Nginx Access | N/A | nginx:plus:kv |
/var/log/nginx/access.log |
| O365 | N/A | o365:management:activity |
o365 |
| Powershell Script Block Logging 4104 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
| Splunk Stream HTTP |  Splunk |
stream:http |
stream:http |
| Sysmon EventID 1 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon for Linux EventID 1 |  Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
- https://attack.mitre.org/tactics/TA0010/
- https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436
- https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a
Source: GitHub | Version: 2