Exfiltration Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Windows Exfiltration Over C2 Via Invoke RestMethod	Powershell Script Block Logging 4104	T1041	TTP	Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Winter Vivern, Water Gamayun, Microsoft WSUS CVE-2025-59287	2026-05-13
Linux Auditd Data Transfer Size Limits Via Split	Linux Auditd Execve	T1030	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Hellcat Ransomware, Compromised Linux Host, Linux Living Off The Land	2026-05-13
Windows OneDrive Share Mounted via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567.002	Anomaly	Data Exfiltration	2026-05-13
LOLBAS With Network Traffic	Sysmon EventID 3	T1105 T1218 T1567	TTP	Living Off The Land, Hellcat Ransomware, Malicious Inno Setup Loader, APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, NetSupport RMM Tool Abuse, Fake CAPTCHA Campaigns, Water Gamayun	2026-05-13
Excessive Usage of NSLOOKUP App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048	Anomaly	Data Exfiltration, Command And Control, Suspicious DNS Traffic, Dynamic DNS	2026-05-13
Windows Exfiltration Over C2 Via Powershell UploadString	Powershell Script Block Logging 4104	T1041	TTP	Winter Vivern, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Network Connection From Program In Suspect Location	Sysmon EventID 3	T1011	Anomaly	Compromised Windows Host	2026-05-13
Potential Telegram API Request Via CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1041 T1102.002	Anomaly	Hellcat Ransomware, BlankGrabber Stealer, XMRig, 0bj3ctivity Stealer, Water Gamayun	2026-05-13
Windows Gdrive Binary Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567	TTP	China-Nexus Threat Activity	2026-05-13
DNS Exfiltration Using Nslookup App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048	TTP	Dynamic DNS, Command And Control, Compromised Windows Host, Data Exfiltration, Suspicious DNS Traffic	2026-05-13
Windows Mustang Panda USB Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1020 T1204.002 T1574.001	TTP	Compromised Windows Host	2026-05-13
Windows Rundll32 WebDAV Request	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048.003	Hunting	CVE-2023-23397 Outlook Elevation of Privilege	2026-05-13
Windows Rundll32 WebDav With Network Connection	Sysmon EventID 1, Sysmon EventID 3	T1048.003	TTP	CVE-2023-23397 Outlook Elevation of Privilege	2026-05-13
Detect Renamed RClone	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1020	Hunting	DarkSide Ransomware, Cactus Ransomware, Black Basta Ransomware, Ransomware	2026-05-13
Linux Auditd Data Transfer Size Limits Via Split Syscall	Linux Auditd Syscall	T1030	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Compromised Linux Host	2026-05-13
Windows Azure Storage Utility Execution Via CLI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567.002	Anomaly	Data Exfiltration	2026-05-13
Linux Gdrive Binary Activity	Sysmon for Linux EventID 1	T1567	TTP	China-Nexus Threat Activity	2026-05-13
MacOS Data Chunking	Osquery Results	T1030	Anomaly	MacOS Post-Exploitation	2026-05-13
High Frequency Copy Of Files In Network Share	Windows Event Log Security 5145	T1537	Anomaly	Information Sabotage, Insider Threat, Hellcat Ransomware	2026-05-13
Detect RClone Command-Line Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1020	TTP	Hellcat Ransomware, Ransomware, Cisco Network Visibility Module Analytics, DarkSide Ransomware, Storm-0501 Ransomware, Cactus Ransomware, Black Basta Ransomware	2026-05-13
Cisco NVM - Rclone Execution With Network Activity	Cisco Network Visibility Module Flow Data	T1567.002	Anomaly	Scattered Lapsus$ Hunters, Cisco Network Visibility Module Analytics	2026-05-13
High Volume of Bytes Out to Url	Nginx Access	T1567	Anomaly	Hellcat Ransomware, Data Exfiltration	2026-05-13
Plain HTTP POST Exfiltrated Data	Splunk Stream HTTP	T1048.003	TTP	Data Exfiltration, Command And Control, APT37 Rustonotto and FadeStealer	2026-05-13
Multiple Archive Files Http Post Traffic	Splunk Stream HTTP	T1048.003	TTP	Hellcat Ransomware, Data Exfiltration, Command And Control, APT37 Rustonotto and FadeStealer	2026-05-13
Cisco ASA - Device File Copy to Remote Location	Cisco ASA Logs	T1005 T1041 T1048.003	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor	2026-05-13
Ollama Possible Model Exfiltration Data Leakage	Ollama Server	T1048	Anomaly	Suspicious Ollama Activities	2026-05-13
Gsuite Drive Share In External Email	G Suite Drive	T1567.002	Anomaly	Insider Threat, Scattered Lapsus$ Hunters, Dev Sec Ops	2026-05-13
AWS Exfiltration via Bucket Replication	AWS CloudTrail PutBucketReplication	T1537	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2026-05-13
AWS Exfiltration via EC2 Snapshot	AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail CreateSnapshot	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
O365 DLP Rule Triggered	Office 365 Universal Audit Log	T1048 T1567	Anomaly	Data Exfiltration	2026-05-13
AWS EC2 Snapshot Shared Externally	AWS CloudTrail ModifySnapshotAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
O365 Exfiltration via File Sync Download	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Office 365 Account Takeover, Data Exfiltration	2026-05-13
AWS AMI Attribute Modification for Exfiltration	AWS CloudTrail ModifyImageAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
AWS S3 Exfiltration Behavior Identified		T1537	Correlation	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
ASL AWS EC2 Snapshot Shared Externally	ASL AWS CloudTrail	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
O365 Exfiltration via File Access	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Office 365 Account Takeover, Data Exfiltration	2026-05-13
Gsuite Outbound Email With Attachment To External Domain	G Suite Gmail	T1048.003	Hunting	Insider Threat, Dev Sec Ops	2026-05-13
O365 Email Access By Security Administrator	Office 365 Universal Audit Log	T1114.002 T1567	TTP	Office 365 Account Takeover, Data Exfiltration, Azure Active Directory Account Takeover	2026-05-13
O365 Exfiltration via File Download	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Office 365 Account Takeover, Data Exfiltration	2026-05-13
Prohibited Network Traffic Allowed	Cisco Secure Firewall Threat Defense Connection Event	T1048	TTP	Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Cisco Secure Firewall Threat Defense Analytics, Ransomware	2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer	2026-05-13
DNS Query Length With High Standard Deviation	Sysmon EventID 22	T1048.003	Anomaly	Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic	2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor	2026-05-13
Cisco Secure Firewall - Potential Data Exfiltration	Cisco Secure Firewall Threat Defense Connection Event	T1041 T1048.003 T1567.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration	Cisco IOS Logs	T1005 T1567	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Detect SNICat SNI Exfiltration		T1041	TTP	Data Exfiltration	2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer	2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence	Cisco Secure Firewall Threat Defense Connection Event	T1041 T1071.001 T1105 T1573.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Protocol or Port Mismatch	Cisco Secure Firewall Threat Defense Connection Event	T1048.003	Anomaly	Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Traffic Mirroring	Cisco IOS Logs	T1020.001 T1200 T1498	TTP	Router and Infrastructure Security	2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain	Cisco Secure Firewall Threat Defense Connection Event	T1071.001 T1090.002 T1105 T1567.002 T1588.002	Anomaly	Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics	2026-05-13