Detect Snicat Sni Exfiltration

Description

This search looks for commands that the SNICat tool uses in the TLS SNI field.

   Help

Detect Snicat Sni Exfiltration Help

You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place.

   Search

Open in Search