detection.wiki

Detection rules › Splunk

Plain HTTP POST Exfiltrated Data

Status
production
Severity
medium
Group by
bytes_in, bytes_out, dest_ip, http_method, http_user_agent, src_ip, uri_path, url
Author
Teoderick Contreras, Splunk
Source
github.com/splunk/security_content

The following analytic detects potential data exfiltration using plain HTTP POST requests. It leverages network traffic logs, specifically monitoring the stream_http data source for POST methods containing suspicious form data such as "wermgr.exe" or "svchost.exe". This activity is significant because it is commonly associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, which use plain text HTTP POST requests to communicate with remote C2 servers. If confirmed malicious, this activity could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further network infiltration.

MITRE ATT&CK coverage

TacticTechniques
ExfiltrationT1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Rule body splunk

name: Plain HTTP POST Exfiltrated Data
id: e2b36208-a364-11eb-8909-acde48001122
version: 13
creation_date: '2021-04-22'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic detects potential data exfiltration using plain HTTP POST requests. It leverages network traffic logs, specifically monitoring the `stream_http` data source for POST methods containing suspicious form data such as "wermgr.exe" or "svchost.exe". This activity is significant because it is commonly associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, which use plain text HTTP POST requests to communicate with remote C2 servers. If confirmed malicious, this activity could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further network infiltration.
data_source:
    - Splunk Stream HTTP
search: |-
    `stream_http` http_method=POST form_data IN ("*wermgr.exe*","*svchost.exe*", "*name=\"proclist\"*","*ipconfig*", "*name=\"sysinfo\"*", "*net view*")
      | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count
        BY src_ip dest_ip http_method
           http_user_agent uri_path url
           bytes_in bytes_out
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `plain_http_post_exfiltrated_data_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.
known_false_positives: No false positives have been identified at this time.
references:
    - https://blog.talosintelligence.com/2020/03/trickbot-primer.html
drilldown_searches:
    - name: View the detection results for - "$src_ip$"
      search: '%original_detection_search% | search  src_ip = "$src_ip$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_ip$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: A http post $http_method$ sending packet with plain text of information in uri path $uri_path$
    entity:
        field: src_ip
        type: system
        score: 50
analytic_story:
    - Data Exfiltration
    - Command And Control
    - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
    - T1048.003
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: web
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/plain_exfil_data/stream_http_events.log
          source: stream
          sourcetype: stream:http
      test_type: unit

Stages and Predicates

Stage 1: search

`stream_http` http_method=POST form_data IN ("*wermgr.exe*","*svchost.exe*", "*name=\"proclist\"*","*ipconfig*", "*name=\"sysinfo\"*", "*net view*")

Stage 2: stats

| stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count
    BY src_ip dest_ip http_method
       http_user_agent uri_path url
       bytes_in bytes_out

Stage 3: search

| `security_content_ctime(firstTime)`

Stage 4: search

| `security_content_ctime(lastTime)`

Stage 5: search

| `plain_http_post_exfiltrated_data_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
form_datain
  • "*ipconfig*"
  • "*name=\"
  • "*net view*"
  • "*svchost.exe*"
  • "*wermgr.exe*"
  • proclist\"*"
  • sysinfo\"*"
http_methodeq
  • POST
sourcetypeeq
  • stream:http