Product: Firepower
Use-Case: Data Exfiltration
Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
---|---|---|---|---|
26 | 6 | 18 | 5 | 5 |
Event Type | Rules | Models |
---|---|---|
netflow-connection | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol ↳ A-NETFLOW-BitTorrent: Asset accessed BitTorrent application T1071.002 - Application Layer Protocol: File Transfer Protocols ↳ A-NETFLOW-BitTorrent: Asset accessed BitTorrent application |
|
process-created | T1071.002 - Application Layer Protocol: File Transfer Protocols ↳ ATP-FTP-Exfil: Exfiltration Over Alternative Protocol T1048 - Exfiltration Over Alternative Protocol ↳ A-Tap-Installer: TAP software was installed on this asset. ↳ A-DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed on this asset. ↳ DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed. ↳ Tap-Installer: TAP software was installed. T1041 - Exfiltration Over C2 Channel ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1071.001 - Application Layer Protocol: Web Protocols ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1572 - Protocol Tunneling ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1071.004 - Application Layer Protocol: DNS ↳ A-DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed on this asset. ↳ DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed. T1040 - Network Sniffing ↳ A-NSniff-Cred: Potential network sniffing was observed on this asset. ↳ NSniff-Cred: Potential network sniffing was observed T1059 - Command and Scripting Interperter ↳ A-JPanda-Activity: Judgement Panda Exfil Activity detected on this asset ↳ JPanda-Activity: Judgement Panda Exfil Activity detected T1560 - Archive Collected Data ↳ A-JPanda-Activity: Judgement Panda Exfil Activity detected on this asset ↳ JPanda-Activity: Judgement Panda Exfil Activity detected T1003 - OS Credential Dumping ↳ A-JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected on this asset ↳ JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected T1552.001 - T1552.001 ↳ A-JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected on this asset ↳ JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected |
|
vpn-logout | TA0010 - TA0010 ↳ DLP-UPCOUNT: Abnormal number of DLP policy violations for user ↳ DLP-GPCOUNT: Abnormal number of DLP policy violations for peer group ↳ DLP-BSum: Abnormal amount of data written during DLP policy violation T1133 - External Remote Services ↳ VPN-BSum: Abnormal amount of data uploaded during VPN Session |
• DLP-BSum: Sum of bytes written during DLP policy violation • DLP-GPCOUNT: Count of DLP policy violations for peer group • DLP-UPCOUNT: Count of DLP policy violations for user • VPN-BSum: Sum of bytes uploaded during VPN |
web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service ↳ WEB-New-File-20: User with no web activity history has uploaded 20MB or more T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DynamicDNS: User attempted access to a domain generated using Dynamic DNS service T1041 - Exfiltration Over C2 Channel ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host T1567 - Exfiltration Over Web Service ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host T1568 - Dynamic Resolution ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service |
• WEB-OG-FS: File sharing activities of users in the peer group • WEB-OU-FS: File sharing activities of users in the organization |
web-activity-denied | T1071.001 - Application Layer Protocol: Web Protocols ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service ↳ WEB-New-File-20-Block: User with no web activity history was blocked from uploading 20MB or more T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DynamicDNS: User attempted access to a domain generated using Dynamic DNS service T1568 - Dynamic Resolution ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service |
• WEB-OG-FS: File sharing activities of users in the peer group • WEB-OU-FS: File sharing activities of users in the organization |