Find sigma rule

Attack: Automated Exfiltration

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

MITRE

Tactic

exfiltration

technique

T1020

Test : IcedID Botnet HTTP PUT

OS

windows

Description:

Creates a text file Tries to upload to a server via HTTP PUT method with ContentType Header Deletes a created file

Executor

powershell

Sigma Rule

posh_ps_script_with_upload_capabilities.yml (id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb)
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test