Exfiltration Analytic Stories

Name Data Sources Tactics Products Date
Compromised Linux Host linux icon Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-06-25
Compromised Windows Host windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 1102, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4798, Windows Event Log Security 4887, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141, Windows Event Log Security 5145, Windows Event Log System 7036, Windows Event Log System 7040, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-04-18
Splunk Vulnerabilities splunk icon Splunk Stream TCP, Splunk Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-01-22
Office 365 Account Takeover O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365 Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-17
Data Exfiltration linux icon AWS CloudTrail CreateSnapshot, AWS CloudTrail CreateTask, AWS CloudTrail DeleteSnapshot, AWS CloudTrail GetObject, AWS CloudTrail JobCreated, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, CrowdStrike ProcessRollup2, Nginx Access, O365, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Collection Command And Control Credential Access Exfiltration Impact Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-05-17
Suspicious AWS S3 Activities aws icon AWS CloudTrail CreateTask, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, AWS CloudTrail Collection Exfiltration Impact Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-04-24
CVE-2023-23397 Outlook Elevation of Privilege windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exfiltration Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-03-15
Winter Vivern windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200 Collection Command And Control Defense Evasion Discovery Execution Exfiltration Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-02-16
Linux Living Off The Land linux icon CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-27
Azure Active Directory Account Takeover azure icon Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-14
Insider Threat linux icon CrowdStrike ProcessRollup2, G Suite Drive, G Suite Gmail, Linux Secure, Palo Alto Network Threat, Palo Alto Network Traffic, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 5145 Command And Control Credential Access Defense Evasion Exfiltration Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Behavioral Analytics 2022-05-19
Living Off The Land windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-03-16
Linux Persistence Techniques linux icon Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1 Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-12-17
Linux Privilege Escalation linux icon Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1 Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-12-17
Dev Sec Ops aws icon AWS CloudTrail DescribeImageScanFindings, AWS CloudTrail PutImage, CircleCI, G Suite Drive, G Suite Gmail, GitHub Credential Access Discovery Execution Exfiltration Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-08-18
DarkSide Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-05-12
Suspicious Cloud Instance Activities aws icon AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail Defense Evasion Exfiltration Initial Access Persistence Privilege Escalation Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-08-25
DNS Hijacking windows icon Sysmon EventID 22 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Ransomware windows icon CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036 Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Hidden Cobra Malware windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Defense Evasion Execution Exfiltration Lateral Movement Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-01-22
Dynamic DNS windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-09-06
Command And Control windows icon CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-06-01
Suspicious DNS Traffic windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-18
Host Redirection windows icon Sysmon EventID 11 Command And Control Exfiltration Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-14
Data Protection windows icon Sysmon EventID 22 Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-14
Prohibited Traffic Allowed or Protocol Mismatch windows icon Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 22 Command And Control Exfiltration Initial Access Lateral Movement Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-11