Plain HTTP POST Exfiltrated Data

name: Plain HTTP POST Exfiltrated Data
id: e2b36208-a364-11eb-8909-acde48001122
version: 11
date: '2026-03-10'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic detects potential data exfiltration using plain HTTP POST requests. It leverages network traffic logs, specifically monitoring the `stream_http` data source for POST methods containing suspicious form data such as "wermgr.exe" or "svchost.exe". This activity is significant because it is commonly associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, which use plain text HTTP POST requests to communicate with remote C2 servers. If confirmed malicious, this activity could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further network infiltration.
data_source:
    - Splunk Stream HTTP
search: |-
    `stream_http` http_method=POST form_data IN ("*wermgr.exe*","*svchost.exe*", "*name=\"proclist\"*","*ipconfig*", "*name=\"sysinfo\"*", "*net view*")
      | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count
        BY src_ip dest_ip http_method
           http_user_agent uri_path url
           bytes_in bytes_out
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `plain_http_post_exfiltrated_data_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.
known_false_positives: No false positives have been identified at this time.
references:
    - https://blog.talosintelligence.com/2020/03/trickbot-primer.html
drilldown_searches:
    - name: View the detection results for - "$src_ip$"
      search: '%original_detection_search% | search  src_ip = "$src_ip$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_ip$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A http post $http_method$ sending packet with plain text of information in uri path $uri_path$
    risk_objects:
        - field: src_ip
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Data Exfiltration
        - Command And Control
        - APT37 Rustonotto and FadeStealer
    asset_type: Endpoint
    mitre_attack_id:
        - T1048.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/plain_exfil_data/stream_http_events.log
          source: stream
          sourcetype: stream:http