← Library
splApache-2.0from splunk/security_content

Linux Auditd Data Transfer Size Limits Via Split Syscall

The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml
`linux_auditd` type=SYSCALL comm=split OR exe= "*/split"
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY comm exe syscall
       uid ppid pid
       success dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`