Navigation :

Detect Snicat Sni Exfiltration

Description

This search looks for commands that the SNICat tool uses in the TLS SNI field.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for commands that the SNICat tool uses in the TLS SNI field.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Exfiltration

MITRE ATT&CK Techniques

Exfiltration Over C2 Channel

Exfiltration Over C2 Channel

MITRE Threat Groups

APT3
APT32
Frankenstein
Gamaredon Group
Ke3chang
Kimsuky
Lazarus Group
MuddyWater
Sandworm Team
Soft Cell
Stealth Falcon
Wizard Spider

Data Sources


   Help

Detect Snicat Sni Exfiltration Help

You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place.

   Search

`zeek_ssl` | rex field=server_name "(?<snicat>(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)" | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`
Open in Search