Plain Http Post Exfiltrated Data

Plain Http Post Exfiltrated Data

Description

This search is to detect potential plain HTTP POST method data exfiltration. This network traffic is commonly used by trickbot, trojanspy, keylogger or APT adversary where arguments or commands are sent in plain text to the remote C2 server using HTTP POST method as part of data exfiltration.

   Help

Plain Http Post Exfiltrated Data Help

To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.

   Search

Open in Search