attack.t1048.003

Data Exfiltration with Wget
level
status experimental

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

High TXT Records Requests Rate
level
status test

Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution

High NULL Records Requests Rate
level
status test

Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution

High DNS Requests Rate
level
status experimental

High DNS requests amount from host per short period of time

High DNS Requests Rate
level
status experimental

High DNS requests amount from host per short period of time

High DNS Bytes Out
level
status experimental

High DNS queries bytes amount from host per short period of time

High DNS Bytes Out
level
status experimental

High DNS queries bytes amount from host per short period of time

Possible DNS Tunneling
level
status test

Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.

Suspicious DNS Query with B64 Encoded String
level
status experimental

Detects suspicious DNS queries using base64 encoding

WebDav Put Request
level
status test

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

Suspicious WebDav Client Execution
level
status test

A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).

Suspicious Outbound SMTP Connections
level
status experimental

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

PowerShell ICMP Exfiltration
level
status experimental

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

Powershell Exfiltration Over SMTP
level
status experimental

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.