- Home
- Correlation Rule Library
- Unauthorized Stream Data Transfer
Unauthorized Stream Data Transfer
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
Unauthorized data transfers involves the unauthorized transfer of data through various communication channels such as network traffic, file transfers, and more.
Examples:
Unauthorized file transfers through file sharing devices.
Unauthorized data transfer through network protocols.
Attack chain scenario: Insider Threat -> File system manipulation-> Data exfiltration
Impact:
It can be used by adversaries in the following ways:
- Unauthorized access to sensitive data
- Data breach
- System compromise
Data source:
Windows > Process Creation
Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0040- Impact
Technique: T1565- Data manipulation
Sub-Technique: T1565.002- Transmitted Data Manipulation
Criteria:
( ( FileName = ":" ) ) AND ( ( Process Name = "*esentutl.exe" ) OR ( Process Name = "*printbrm.exe" ) )
Attackers may abuse *esentutl.exe to extract data from ESE (Extensible Storage Engine) database.
Attackers may abuse *printbrm.exe to exfiltrate or transfer data by using printer configurations as a communication channel.
When to enable this rule:
Security standards (NIST CSF 2.0):
Enabling this rule will help you meet the security standards' requirements listed below:
ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles
When this rule is triggered, you're notified about the unauthorized data transfers, which could lead to security breaches and privacy violations. This enables you to place strong security measures, such as deploying access controls and permissions in place.
Known false positives: This event may be generated in cases where a mistyped file name is entered or if any process may have a special character.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Deploy access controls: Implement access controls and permissions to restrict the access of data by unauthorized users.
