Detect Snicat Sni Exfiltration


This search looks for commands that the SNICat tool uses in the TLS SNI field.


Detect Snicat Sni Exfiltration Help

You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place.


Open in Search