June 5, 2021

Splunk Enterprise BOTSV3 Data Exfiltration

Hi All,

I am investigating the BOTSv3 dataset via splunk enterprise. I found 1 question very interesting which is about data exfiltration.

**The Taedonggang adversary sent Grace Hoppy an email bragging about the successful exfiltration of customer data. How many Frothly customer emails were exposed or revealed?**

I performed the query which is below here.

index=botsv3 earliest=0 “grace hoppy” sourcetype!=”ms:aad:signin”

Gracie, We brought your data and imported it: [https://pastebin.com/sdBUkwsE](https://pastebin.com/sdBUkwsE)

We know from the data exfiltration question that Taedonggang used “[[email protected]](mailto:[email protected])” as an email address when emailing Grace Hoppy. But here, we’re looking for a file upload. It’s not clear if “upload” here includes email attachments. I am very unclear on how do they copy or transfer the data from the AWS environment. Is it impossible to find the clues via the BOTSV3 and via the splunk enterprise.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.