I am investigating the BOTSv3 dataset via splunk enterprise. I found 1 question very interesting which is about data exfiltration.
**The Taedonggang adversary sent Grace Hoppy an email bragging about the successful exfiltration of customer data. How many Frothly customer emails were exposed or revealed?**
I performed the query which is below here.
index=botsv3 earliest=0 “grace hoppy” sourcetype!=”ms:aad:signin”
Gracie, We brought your data and imported it: [https://pastebin.com/sdBUkwsE](https://pastebin.com/sdBUkwsE)
We know from the data exfiltration question that Taedonggang used “[[email protected]](mailto:[email protected])” as an email address when emailing Grace Hoppy. But here, we’re looking for a file upload. It’s not clear if “upload” here includes email attachments. I am very unclear on how do they copy or transfer the data from the AWS environment. Is it impossible to find the clues via the BOTSV3 and via the splunk enterprise.