Exfiltration Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Splunk Data exfiltration from Analytics Workspace using sid query	Splunk	Exfiltration Over Web Service	Hunting	Splunk Vulnerabilities	2024-05-25
AWS AMI Attribute Modification for Exfiltration	AWS CloudTrail ModifyImageAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-05-09
AWS EC2 Snapshot Shared Externally	AWS CloudTrail ModifySnapshotAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-05-07
AWS Exfiltration via Bucket Replication	AWS CloudTrail PutBucketReplication	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2024-05-11
AWS Exfiltration via EC2 Snapshot	AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-05-10
AWS S3 Exfiltration Behavior Identified		Transfer Data to Cloud Account	Correlation	Data Exfiltration, Suspicious Cloud Instance Activities	2024-05-13
Gsuite Drive Share In External Email	G Suite Drive	Exfiltration to Cloud Storage Exfiltration Over Web Service	Anomaly	Dev Sec Ops, Insider Threat	2024-05-21
Gsuite Outbound Email With Attachment To External Domain	G Suite Gmail	Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol	Hunting	Dev Sec Ops, Insider Threat	2024-05-10
O365 DLP Rule Triggered		Exfiltration Over Alternative Protocol Exfiltration Over Web Service	Anomaly	Data Exfiltration	2024-04-01
O365 Email Access By Security Administrator		Exfiltration Over Web Service Email Collection Remote Email Collection	TTP	Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover	2024-04-01
Clients Connecting to Multiple DNS Servers		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic	2024-08-15
Detect Long DNS TXT Record Response		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, Suspicious DNS Traffic	2024-08-15
Detection of DNS Tunnels		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, Data Protection, Suspicious DNS Traffic	2024-08-15
Detect RClone Command-Line Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Automated Exfiltration	TTP	DarkSide Ransomware, Ransomware	2024-08-15
Detect Renamed RClone	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Automated Exfiltration	Hunting	DarkSide Ransomware, Ransomware	2024-08-19
DNS Exfiltration Using Nslookup App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exfiltration Over Alternative Protocol	TTP	Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic	2024-08-15
Excessive Usage of NSLOOKUP App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exfiltration Over Alternative Protocol	Anomaly	Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic	2024-05-15
High Frequency Copy Of Files In Network Share	Windows Event Log Security 5145	Transfer Data to Cloud Account	Anomaly	Information Sabotage, Insider Threat	2024-05-26
Linux Auditd Data Transfer Size Limits Via Split	Linux Auditd Execve	Data Transfer Size Limits	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Data Transfer Size Limits Via Split Syscall	Linux Auditd Syscall	Data Transfer Size Limits	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
LOLBAS With Network Traffic	Sysmon EventID 3	Ingress Tool Transfer Exfiltration Over Web Service System Binary Proxy Execution	TTP	Living Off The Land	2024-05-11
Windows Exfiltration Over C2 Via Invoke RestMethod	Powershell Script Block Logging 4104	Exfiltration Over C2 Channel	TTP	Winter Vivern	2024-05-21
Windows Exfiltration Over C2 Via Powershell UploadString	Powershell Script Block Logging 4104	Exfiltration Over C2 Channel	TTP	Winter Vivern	2024-05-27
Windows Rundll32 WebDAV Request	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exfiltration Over Unencrypted Non-C2 Protocol	TTP	CVE-2023-23397 Outlook Elevation of Privilege	2024-08-15
Windows Rundll32 WebDav With Network Connection		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	CVE-2023-23397 Outlook Elevation of Privilege	2024-08-15
Detect DNS Data Exfiltration using pretrained model in DSDL		Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly	Command And Control, DNS Hijacking, Suspicious DNS Traffic	2024-05-22
Detect SNICat SNI Exfiltration		Exfiltration Over C2 Channel	TTP	Data Exfiltration	2024-05-21
Detect Traffic Mirroring		Hardware Additions Automated Exfiltration Network Denial of Service Traffic Duplication	TTP	Router and Infrastructure Security	2024-08-14
DNS Query Length With High Standard Deviation	Sysmon EventID 22	Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol	Anomaly	Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic	2024-05-15
High Volume of Bytes Out to Url	Nginx Access	Exfiltration Over Web Service	Anomaly	Data Exfiltration	2024-05-24
Multiple Archive Files Http Post Traffic	Splunk Stream HTTP	Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol	TTP	Command And Control, Data Exfiltration	2024-05-16
Plain HTTP POST Exfiltrated Data	Splunk Stream HTTP	Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol	TTP	Command And Control, Data Exfiltration	2024-05-26
Prohibited Network Traffic Allowed		Exfiltration Over Alternative Protocol	TTP	Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware	2024-05-11
Protocol or Port Mismatch		Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol	Anomaly	Command And Control, Prohibited Traffic Allowed or Protocol Mismatch	2024-05-29