Product: SIGSCI
Use-Case: Data Exfiltration
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 8 | 2 | 7 | 2 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| web-activity-allowed | T1041 - Exfiltration Over C2 Channel ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host T1567 - Exfiltration Over Web Service ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host T1071 - Application Layer Protocol ↳ WEB-New-File-20: User with no web activity history has uploaded 20MB or more ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-New-File-20: User with no web activity history has uploaded 20MB or more ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service T1568 - Dynamic Resolution ↳ WEB-UD-DynamicDNS: User attempted access to a domain generated using Dynamic DNS service ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DynamicDNS: User attempted access to a domain generated using Dynamic DNS service |
• WEB-OG-FS: File sharing activities of users in the peer group • WEB-OU-FS: File sharing activities of users in the organization |
| web-activity-denied | T1071 - Application Layer Protocol ↳ WEB-New-File-20-Block: User with no web activity history was blocked from uploading 20MB or more ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-New-File-20-Block: User with no web activity history was blocked from uploading 20MB or more ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service T1568 - Dynamic Resolution ↳ WEB-UD-DynamicDNS: User attempted access to a domain generated using Dynamic DNS service ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service T1567 - Exfiltration Over Web Service ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DynamicDNS: User attempted access to a domain generated using Dynamic DNS service |
• WEB-OG-FS: File sharing activities of users in the peer group • WEB-OU-FS: File sharing activities of users in the organization |