splApache-2.0from splunk/security_content
Linux Auditd Data Transfer Size Limits Via Split
The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network.
Quality
51
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml
`linux_auditd` execve_command = "*split*" AND execve_command = "*-b *"
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_data_transfer_size_limits_via_split_filter`