Name:Plain HTTP POST Exfiltrated Data id:e2b36208-a364-11eb-8909-acde48001122 version:4 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:TTP Description:The following analytic detects potential data exfiltration using plain HTTP POST requests. It leverages network traffic logs, specifically monitoring the `stream_http` data source for POST methods containing suspicious form data such as "wermgr.exe" or "svchost.exe". This activity is significant because it is commonly associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, which use plain text HTTP POST requests to communicate with remote C2 servers. If confirmed malicious, this activity could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further network infiltration. Data_source:
-Splunk Stream HTTP
search:`stream_http` http_method=POST form_data IN ("*wermgr.exe*","*svchost.exe*", "*name=\"proclist\"*","*ipconfig*", "*name=\"sysinfo\"*", "*net view*") |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. known_false_positives:unknown References: -https://blog.talosintelligence.com/2020/03/trickbot-primer.html drilldown_searches: name:'View the detection results for - "$src_ip$"' search:'%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_ip$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Data Exfiltration' - 'Command And Control' asset_type:Endpoint confidence:90 impact:70 message:A http post $http_method$ sending packet with plain text of information in uri path $uri_path$ mitre_attack_id: - 'T1048.003' - 'T1048' observable: name:'src_ip' type:'IP Address' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'http_method' - 'http_user_agent' - 'uri_path' - 'url' - 'bytes_in' - 'bytes_out' risk_score:63 security_domain:network
