GitHub Repo

Analytics Story: Data Exfiltration

Updated Date: 2026-05-13 ID: 66b0fe0c-1351-11eb-adc1-0242ac120002 Author: Bhavin Patel, Shannon Davis, Splunk Product: Splunk Enterprise Security

Description

Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.

Why it matters

This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.

AWS S3 Exfiltration Behavior Identified

 1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message FROM datamodel=Risk.All_Risk
 2  WHERE All_Risk.annotations.mitre_attack.mitre_tactic = "collection"
 3    OR
 4    All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS*
 5  BY All_Risk.risk_object
 6| `drop_dm_object_name(All_Risk)`
 7| `security_content_ctime(firstTime)`
 8| `security_content_ctime(lastTime)`
 9| where source_count >= 2 and mitre_tactic_id_count>=2
10| `aws_s3_exfiltration_behavior_identified_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Azure Storage Utility Execution Via CLI Exfiltration to Cloud Storage Anomaly
AWS AMI Attribute Modification for Exfiltration Transfer Data to Cloud Account TTP
O365 Application Available To Other Tenants Additional Cloud Roles TTP
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol TTP
High Volume of Bytes Out to Url Exfiltration Over Web Service Anomaly
AWS Disable Bucket Versioning Inhibit System Recovery Anomaly
AWS Exfiltration via DataSync Task Automated Collection TTP
Windows OneDrive Share Mounted via Net Exfiltration to Cloud Storage Anomaly
O365 PST export alert Email Collection TTP
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
O365 Exfiltration via File Download Data from Cloud Storage, Exfiltration Over Web Service Anomaly
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted Non-C2 Protocol TTP
AWS EC2 Snapshot Shared Externally Transfer Data to Cloud Account TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
Mailsniper Invoke functions Local Email Collection TTP
O365 Email Transport Rule Changed Email Forwarding Rule, Email Hiding Rules Anomaly
O365 Email Access By Security Administrator Remote Email Collection, Exfiltration Over Web Service TTP
AWS Exfiltration via Batch Service Automated Collection TTP
ASL AWS EC2 Snapshot Shared Externally Transfer Data to Cloud Account TTP
AWS Exfiltration via EC2 Snapshot Transfer Data to Cloud Account TTP
Detect Certipy File Modifications Archive Collected Data, Steal or Forge Authentication Certificates TTP
AWS Exfiltration via Bucket Replication Transfer Data to Cloud Account TTP
AWS Exfiltration via Anomalous GetObject API Activity Automated Collection Anomaly
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP
Windows TOR Client Execution Multi-hop Proxy Anomaly
O365 Exfiltration via File Sync Download Data from Cloud Storage, Exfiltration Over Web Service Anomaly
ASL AWS Disable Bucket Versioning Inhibit System Recovery Anomaly
O365 DLP Rule Triggered Exfiltration Over Alternative Protocol, Exfiltration Over Web Service Anomaly
Linux Curl Upload File Ingress Tool Transfer TTP
O365 Exfiltration via File Access Data from Cloud Storage, Exfiltration Over Web Service Anomaly
Gdrive suspicious file sharing Phishing Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
AWS CloudTrail ModifyImageAttribute AWS icon AWS aws:cloudtrail aws_cloudtrail
Office 365 Universal Audit Log Other o365:management:activity o365
Splunk Stream HTTP Splunk icon Splunk stream:http stream:http
Nginx Access Other nginx:plus:kv /var/log/nginx/access.log
AWS CloudTrail PutBucketVersioning AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail CreateTask AWS icon AWS aws:cloudtrail aws_cloudtrail
O365 Other o365:management:activity o365
AWS CloudTrail ModifySnapshotAttribute AWS icon AWS aws:cloudtrail aws_cloudtrail
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
AWS CloudTrail JobCreated AWS icon AWS aws:cloudtrail aws_cloudtrail
ASL AWS CloudTrail AWS icon AWS aws:asl aws_asl
AWS CloudTrail DescribeSnapshotAttribute AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteSnapshot AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail CreateSnapshot AWS icon AWS aws:cloudtrail aws_cloudtrail
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
AWS CloudTrail PutBucketReplication AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail GetObject AWS icon AWS aws:cloudtrail aws_cloudtrail
Cisco Isovalent Process Exec Other cisco:isovalent:processExec not_applicable
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References

Source: GitHub | Version: 3