Detect Snicat Sni Exfiltration
Description
This search looks for commands that the SNICat tool uses in the TLS SNI field.
Content Mapping
This content is not mapped to any local saved search. Add mapping
Help |
---|
Detect Snicat Sni Exfiltration HelpYou must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place. |
Search |
---|
Open in Search |