Exfiltration Detections

Name	Data Source	Technique	Type	Analytic Story	Date
ASL AWS EC2 Snapshot Shared Externally	ASL AWS CloudTrail	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2025-05-02
AWS AMI Attribute Modification for Exfiltration	AWS CloudTrail ModifyImageAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2025-05-02
AWS EC2 Snapshot Shared Externally	AWS CloudTrail ModifySnapshotAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2025-05-02
AWS Exfiltration via Bucket Replication	AWS CloudTrail PutBucketReplication	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2025-05-02
AWS Exfiltration via EC2 Snapshot	AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail ModifySnapshotAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2025-05-02
AWS S3 Exfiltration Behavior Identified		Transfer Data to Cloud Account	Correlation	Data Exfiltration, Suspicious Cloud Instance Activities	2025-05-02
Gsuite Drive Share In External Email	G Suite Drive	Exfiltration to Cloud Storage	Anomaly	Dev Sec Ops, Insider Threat	2025-06-10
Gsuite Outbound Email With Attachment To External Domain	G Suite Gmail	Exfiltration Over Unencrypted Non-C2 Protocol	Hunting	Dev Sec Ops, Insider Threat	2025-05-02
O365 DLP Rule Triggered	Office 365 Universal Audit Log	Exfiltration Over Alternative Protocol Exfiltration Over Web Service	Anomaly	Data Exfiltration	2025-05-02
O365 Email Access By Security Administrator	Office 365 Universal Audit Log	Remote Email Collection Exfiltration Over Web Service	TTP	Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover	2025-05-02
O365 Exfiltration via File Access	Office 365 Universal Audit Log	Exfiltration Over Web Service Data from Cloud Storage	Anomaly	Data Exfiltration, Office 365 Account Takeover	2025-05-02
O365 Exfiltration via File Download	Office 365 Universal Audit Log	Exfiltration Over Web Service Data from Cloud Storage	Anomaly	Data Exfiltration, Office 365 Account Takeover	2025-05-02
O365 Exfiltration via File Sync Download	Office 365 Universal Audit Log	Exfiltration Over Web Service Data from Cloud Storage	Anomaly	Data Exfiltration, Office 365 Account Takeover	2025-05-02
Detect RClone Command-Line Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Automated Exfiltration	TTP	Black Basta Ransomware, Cactus Ransomware, DarkSide Ransomware, Ransomware	2025-05-02
Detect Renamed RClone	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Automated Exfiltration	Hunting	Black Basta Ransomware, Cactus Ransomware, DarkSide Ransomware, Ransomware	2025-05-02
DNS Exfiltration Using Nslookup App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exfiltration Over Alternative Protocol	TTP	Command And Control, Compromised Windows Host, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic	2025-05-02
Excessive Usage of NSLOOKUP App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exfiltration Over Alternative Protocol	Anomaly	Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic	2025-05-02
High Frequency Copy Of Files In Network Share	Windows Event Log Security 5145	Transfer Data to Cloud Account	Anomaly	Information Sabotage, Insider Threat	2025-05-02
Linux Auditd Data Transfer Size Limits Via Split	Linux Auditd Execve	Data Transfer Size Limits	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-05-02
Linux Auditd Data Transfer Size Limits Via Split Syscall	Linux Auditd Syscall	Data Transfer Size Limits	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-05-02
LOLBAS With Network Traffic	Sysmon EventID 3	Ingress Tool Transfer Exfiltration Over Web Service System Binary Proxy Execution	TTP	Fake CAPTCHA Campaigns, Living Off The Land, Malicious Inno Setup Loader, Water Gamayun	2025-05-26
Potential Telegram API Request Via CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Bidirectional Communication Exfiltration Over C2 Channel	Anomaly	Water Gamayun, XMRig	2025-05-02
Windows Exfiltration Over C2 Via Invoke RestMethod	Powershell Script Block Logging 4104	Exfiltration Over C2 Channel	TTP	Water Gamayun, Winter Vivern	2025-05-02
Windows Exfiltration Over C2 Via Powershell UploadString	Powershell Script Block Logging 4104	Exfiltration Over C2 Channel	TTP	Winter Vivern	2025-05-02
Windows Rundll32 WebDAV Request	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exfiltration Over Unencrypted Non-C2 Protocol	TTP	CVE-2023-23397 Outlook Elevation of Privilege	2025-05-02
Windows Rundll32 WebDav With Network Connection	Sysmon EventID 1, Sysmon EventID 3	Exfiltration Over Unencrypted Non-C2 Protocol	TTP	CVE-2023-23397 Outlook Elevation of Privilege	2025-06-10
Cisco Secure Firewall - Connection to File Sharing Domain	Cisco Secure Firewall Threat Defense Connection Event	Web Protocols External Proxy Ingress Tool Transfer Exfiltration to Cloud Storage Tool	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2025-05-02
Cisco Secure Firewall - High EVE Threat Confidence	Cisco Secure Firewall Threat Defense Connection Event	Exfiltration Over C2 Channel Web Protocols Ingress Tool Transfer Asymmetric Cryptography	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2025-05-02
Cisco Secure Firewall - Intrusion Events by Threat Activity	Cisco Secure Firewall Threat Defense Intrusion Event	Exfiltration Over C2 Channel Asymmetric Cryptography	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2025-05-12
Cisco Secure Firewall - Lumma Stealer Download Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	Exfiltration Over C2 Channel Asymmetric Cryptography	Anomaly	Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer	2025-04-26
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	Exfiltration Over C2 Channel Asymmetric Cryptography	Anomaly	Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer	2025-04-26
Cisco Secure Firewall - Potential Data Exfiltration	Cisco Secure Firewall Threat Defense Connection Event	Exfiltration Over C2 Channel Exfiltration to Cloud Storage Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2025-05-02
Detect DNS Data Exfiltration using pretrained model in DSDL		Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly	Command And Control, DNS Hijacking, Suspicious DNS Traffic	2025-05-02
Detect SNICat SNI Exfiltration		Exfiltration Over C2 Channel	TTP	Data Exfiltration	2025-05-02
Detect Traffic Mirroring		Traffic Duplication Hardware Additions Network Denial of Service	TTP	Router and Infrastructure Security	2025-05-02
DNS Query Length With High Standard Deviation	Sysmon EventID 22	Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly	Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic	2025-05-02
Prohibited Network Traffic Allowed	Cisco Secure Firewall Threat Defense Connection Event	Exfiltration Over Alternative Protocol	TTP	Cisco Secure Firewall Threat Defense Analytics, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware	2025-06-17
Protocol or Port Mismatch	Cisco Secure Firewall Threat Defense Connection Event	Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly	Cisco Secure Firewall Threat Defense Analytics, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch	2025-05-27
High Volume of Bytes Out to Url	Nginx Access	Exfiltration Over Web Service	Anomaly	Data Exfiltration	2025-05-02
Multiple Archive Files Http Post Traffic	Splunk Stream HTTP	Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, Data Exfiltration	2025-05-02
Plain HTTP POST Exfiltrated Data	Splunk Stream HTTP	Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, Data Exfiltration	2025-05-02