Techniques
Sample rules
O365 Exfiltration via File Sync Download
- source: splunk
- technicques:
- T1567
- T1530
Description
The following analytic detects when an excessive number of files are sync from o365 by the same user over a short period of time. A malicious actor abuse the user-agent string through GUI or API access to evade triggering the FileDownloaded event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts.
Detection logic
`o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*"
| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
| where NOT match(SiteUrl,user_flat)
| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
| rename SiteUrl as file_path,Workload as app
| where count > 50
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_exfiltration_via_file_sync_download_filter`