Product: ClientView
Use-Case: Data Exfiltration
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 23 | 3 | 16 | 4 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| file-write | TA0002 - TA0002 ↳ FA-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user during file activity ↳ FA-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user during file activity |
• FA-UP-TEMP: Process executable TEMP directories for this user during file activity |
| process-created | T1071.002 - Application Layer Protocol: File Transfer Protocols ↳ ATP-FTP-Exfil: Exfiltration Over Alternative Protocol T1048 - Exfiltration Over Alternative Protocol ↳ A-Tap-Installer: TAP software was installed on this asset. ↳ A-DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed on this asset. ↳ DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed. ↳ Tap-Installer: TAP software was installed. T1041 - Exfiltration Over C2 Channel ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1071.001 - Application Layer Protocol: Web Protocols ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1572 - Protocol Tunneling ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1071.004 - Application Layer Protocol: DNS ↳ A-DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed on this asset. ↳ DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed. T1040 - Network Sniffing ↳ A-NSniff-Cred: Potential network sniffing was observed on this asset. ↳ NSniff-Cred: Potential network sniffing was observed T1059 - Command and Scripting Interperter ↳ A-JPanda-Activity: Judgement Panda Exfil Activity detected on this asset ↳ JPanda-Activity: Judgement Panda Exfil Activity detected T1560 - Archive Collected Data ↳ A-JPanda-Activity: Judgement Panda Exfil Activity detected on this asset ↳ JPanda-Activity: Judgement Panda Exfil Activity detected T1003 - OS Credential Dumping ↳ A-JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected on this asset ↳ JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected T1552.001 - T1552.001 ↳ A-JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected on this asset ↳ JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected |
|
| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service ↳ WEB-New-File-20: User with no web activity history has uploaded 20MB or more T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DynamicDNS: User attempted access to a domain generated using Dynamic DNS service T1041 - Exfiltration Over C2 Channel ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host T1567 - Exfiltration Over Web Service ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host T1568 - Dynamic Resolution ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service |
• WEB-OG-FS: File sharing activities of users in the peer group • WEB-OU-FS: File sharing activities of users in the organization |
| web-activity-denied | T1071.001 - Application Layer Protocol: Web Protocols ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service ↳ WEB-New-File-20-Block: User with no web activity history was blocked from uploading 20MB or more T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DynamicDNS: User attempted access to a domain generated using Dynamic DNS service T1568 - Dynamic Resolution ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service |
• WEB-OG-FS: File sharing activities of users in the peer group • WEB-OU-FS: File sharing activities of users in the organization |