Techniques
Sample rules
Multiple Archive Files Http Post Traffic
- source: splunk
- technicques:
- T1048.003
- T1048
Description
The following analytic detects the high-frequency exfiltration of archive files via HTTP POST requests. It leverages HTTP stream logs to identify specific archive file headers within the request body. This activity is significant as it often indicates data exfiltration by APTs or trojan spyware after data collection. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive data to an attacker’s command and control server, potentially resulting in severe data breaches and loss of confidential information.
Detection logic
`stream_http` http_method=POST
|eval archive_hdr1=substr(form_data,1,2)
| eval archive_hdr2 = substr(form_data,1,4)
|stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2
|where count >20 AND (archive_hdr1 = "7z" OR archive_hdr1 = "PK" OR archive_hdr2="Rar!")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `multiple_archive_files_http_post_traffic_filter`