EXFILTRATION

SPLUNK: Search & Reporting
 SPL: sourcetype=web_traffic client_ip="<REDACTED>" AND path IN ("*backup.zip*", "*logs.tar.gz*") | table _time path, user_agent
 DTG: All time
 TAB: Statistics
 
 * results could indicate an attacker exfiltrating large chunks of compressed log 
   files using tools like curl, zgrab, and more

DATA EXFILTRATION BY VOLUME

the sum function can be used to calculate the sum of the bytes transferred, using the bytes_transferred field. This will show a huge volume of data transferred from the compromised webserver to C2 server if any

SPLUNK: Search & Reporting
 SPL: sourcetype=firewall_logs src_ip="10.10.1.5" AND dest_ip="<REDACTED>" AND action="ALLOWED" | stats sum(bytes_transferred) by src_ip
 DTG: All time
 TAB: Statistics
PreviousSQL INJECTIONNextRANSOMWARE STAGING & RCE

Last updated