Exfiltration Detections

Name Data Source Technique Type Analytic Story Date
Splunk Data exfiltration from Analytics Workspace using sid query Splunk Exfiltration Over Web Service Hunting Splunk Vulnerabilities 2024-05-25
AWS AMI Attribute Modification for Exfiltration AWS CloudTrail ModifyImageAttribute Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-05-09
AWS EC2 Snapshot Shared Externally AWS CloudTrail ModifySnapshotAttribute Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-05-07
AWS Exfiltration via Bucket Replication AWS CloudTrail PutBucketReplication Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-05-11
AWS Exfiltration via EC2 Snapshot AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-05-10
AWS S3 Exfiltration Behavior Identified Transfer Data to Cloud Account Correlation Data Exfiltration, Suspicious Cloud Instance Activities 2024-05-13
Gsuite Drive Share In External Email G Suite Drive Exfiltration to Cloud Storage Exfiltration Over Web Service Anomaly Dev Sec Ops, Insider Threat 2024-05-21
Gsuite Outbound Email With Attachment To External Domain G Suite Gmail Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Hunting Dev Sec Ops, Insider Threat 2024-05-10
O365 DLP Rule Triggered Exfiltration Over Alternative Protocol Exfiltration Over Web Service Anomaly Data Exfiltration 2024-09-24
O365 Email Access By Security Administrator Exfiltration Over Web Service Email Collection Remote Email Collection TTP Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover 2024-04-01
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-08-15
Detect Long DNS TXT Record Response Exfiltration Over Unencrypted Non-C2 Protocol TTP Command And Control, Suspicious DNS Traffic 2024-08-15
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol TTP Command And Control, Data Protection, Suspicious DNS Traffic 2024-08-15
Detect RClone Command-Line Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Automated Exfiltration TTP DarkSide Ransomware, Ransomware 2024-08-15
Detect Renamed RClone CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Automated Exfiltration Hunting DarkSide Ransomware, Ransomware 2024-08-19
DNS Exfiltration Using Nslookup App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exfiltration Over Alternative Protocol TTP Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-08-15
Excessive Usage of NSLOOKUP App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exfiltration Over Alternative Protocol Anomaly Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-05-15
High Frequency Copy Of Files In Network Share Windows Event Log Security 5145 Transfer Data to Cloud Account Anomaly Information Sabotage, Insider Threat 2024-05-26
Linux Auditd Data Transfer Size Limits Via Split Linux Auditd Execve Data Transfer Size Limits Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Data Transfer Size Limits Via Split Syscall Linux Auditd Syscall Data Transfer Size Limits Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
LOLBAS With Network Traffic Sysmon EventID 3 Ingress Tool Transfer Exfiltration Over Web Service System Binary Proxy Execution TTP Living Off The Land 2024-09-24
Windows Exfiltration Over C2 Via Invoke RestMethod Powershell Script Block Logging 4104 Exfiltration Over C2 Channel TTP Winter Vivern 2024-05-21
Windows Exfiltration Over C2 Via Powershell UploadString Powershell Script Block Logging 4104 Exfiltration Over C2 Channel TTP Winter Vivern 2024-05-27
Windows Rundll32 WebDAV Request CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exfiltration Over Unencrypted Non-C2 Protocol TTP CVE-2023-23397 Outlook Elevation of Privilege 2024-08-15
Windows Rundll32 WebDav With Network Connection Exfiltration Over Unencrypted Non-C2 Protocol TTP CVE-2023-23397 Outlook Elevation of Privilege 2024-08-15
Detect DNS Data Exfiltration using pretrained model in DSDL Exfiltration Over Unencrypted Non-C2 Protocol Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-05-22
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP Data Exfiltration 2024-05-21
Detect Traffic Mirroring Hardware Additions Automated Exfiltration Network Denial of Service Traffic Duplication TTP Router and Infrastructure Security 2024-08-14
DNS Query Length With High Standard Deviation Sysmon EventID 22 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-05-15
High Volume of Bytes Out to Url Nginx Access Exfiltration Over Web Service Anomaly Data Exfiltration 2024-05-24
Multiple Archive Files Http Post Traffic Splunk Stream HTTP Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol TTP Command And Control, Data Exfiltration 2024-05-16
Plain HTTP POST Exfiltrated Data Splunk Stream HTTP Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol TTP Command And Control, Data Exfiltration 2024-05-26
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2024-05-11
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Anomaly Command And Control, Prohibited Traffic Allowed or Protocol Mismatch 2024-05-29