detection.wiki

Detection rules › Splunk

High Frequency Copy Of Files In Network Share

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information.

MITRE ATT&CK coverage

TacticTechniques
ExfiltrationT1537 Transfer Data to Cloud Account

Event coverage

ProviderEvent IDTitle
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.

Stages and Predicates

Stage 1: search

search AccessMask="0x2" EventCode=5145 ObjectType="File" RelativeTargetName IN ("*.7z", "*.bmp", "*.db", "*.doc", "*.docx", "*.gif", "*.gz", "*.jpg", "*.key", "*.log", "*.pdf", "*.png", "*.ppt", "*.pptx", "*.rar", "*.rtf", "*.tar", "*.txt", "*.xls", "*.xlsx", "*.zip") ShareName IN ("\\\\*\\C$", "\\\\*\\IPC$", "\\\\*\\admin$")

Stage 2: bucket

bucket span=5m _time

Stage 3: stats

stats BY dest, _time, EventCode, src_user, src_ip

Stage 4: eventstats

eventstats avg(numShareName) AS avgShareName, avg(numShareName) AS numSlots BY dest, _time, EventCode, src_user

Stage 5: eval

eval ... using (avgShareName, stdShareName)

Stage 6: eval

eval ... using (avgShareName, upperThreshold)

Stage 7: search

search isOutlier=1

Stage 8: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AccessMaskeq
  • "0x2" corpus 2 (splunk 2)
EventCodeeq
  • 5145 corpus 4 (splunk 4)
ObjectTypeeq
  • File corpus 5 (sigma 3, splunk 2)
RelativeTargetNamein
  • "*.7z"
  • "*.bmp"
  • "*.db"
  • "*.doc"
  • "*.docx"
  • "*.gif"
  • "*.gz"
  • "*.jpg"
  • "*.key"
  • "*.log"
  • "*.pdf"
  • "*.png"
  • "*.ppt"
  • "*.pptx"
  • "*.rar"
  • "*.rtf"
  • "*.tar"
  • "*.txt"
  • "*.xls"
  • "*.xlsx"
  • "*.zip"
ShareNamein
  • "\\\\*\\C$" corpus 3 (splunk 3)
  • "\\\\*\\IPC$" corpus 2 (splunk 2)
  • "\\\\*\\admin$" corpus 2 (splunk 2)
isOutliereq
  • 1 corpus 16 (splunk 16)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.