Exfiltration Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Windows Exfiltration Over C2 Via Invoke RestMethod	Powershell Script Block Logging 4104	T1041	TTP	Microsoft WSUS CVE-2025-59287, Water Gamayun, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Winter Vivern	2026-05-13
Linux Auditd Data Transfer Size Limits Via Split	Linux Auditd Execve	T1030	Anomaly	Hellcat Ransomware, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows OneDrive Share Mounted via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567.002	Anomaly	Data Exfiltration	2026-05-13
LOLBAS With Network Traffic	Sysmon EventID 3	T1105 T1218 T1567	TTP	Water Gamayun, Fake CAPTCHA Campaigns, Living Off The Land, Hellcat Ransomware, NetSupport RMM Tool Abuse, Malicious Inno Setup Loader, GhostRedirector IIS Module and Rungan Backdoor, APT37 Rustonotto and FadeStealer	2026-05-13
Excessive Usage of NSLOOKUP App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048	Anomaly	Command And Control, Suspicious DNS Traffic, Dynamic DNS, Data Exfiltration	2026-05-13
Windows Exfiltration Over C2 Via Powershell UploadString	Powershell Script Block Logging 4104	T1041	TTP	Winter Vivern, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Network Connection From Program In Suspect Location	Sysmon EventID 3	T1011	Anomaly	Compromised Windows Host	2026-05-13
Potential Telegram API Request Via CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1041 T1102.002	Anomaly	0bj3ctivity Stealer, Water Gamayun, BlankGrabber Stealer, Hellcat Ransomware, XMRig	2026-05-13
Windows Gdrive Binary Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567	TTP	China-Nexus Threat Activity	2026-05-13
DNS Exfiltration Using Nslookup App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048	TTP	Dynamic DNS, Data Exfiltration, Compromised Windows Host, Command And Control, Suspicious DNS Traffic	2026-05-13
Windows Mustang Panda USB Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1020 T1204.002 T1574.001	TTP	Compromised Windows Host	2026-05-13
Windows Rundll32 WebDAV Request	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048.003	Hunting	CVE-2023-23397 Outlook Elevation of Privilege	2026-05-13
Windows Rundll32 WebDav With Network Connection	Sysmon EventID 1, Sysmon EventID 3	T1048.003	TTP	CVE-2023-23397 Outlook Elevation of Privilege	2026-05-13
Detect Renamed RClone	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1020	Hunting	Ransomware, DarkSide Ransomware, Cactus Ransomware, Black Basta Ransomware	2026-05-13
Linux Auditd Data Transfer Size Limits Via Split Syscall	Linux Auditd Syscall	T1030	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Azure Storage Utility Execution Via CLI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567.002	Anomaly	Data Exfiltration	2026-05-13
Linux Gdrive Binary Activity	Sysmon for Linux EventID 1	T1567	TTP	China-Nexus Threat Activity	2026-05-13
MacOS Data Chunking	Osquery Results	T1030	Anomaly	MacOS Post-Exploitation	2026-05-13
High Frequency Copy Of Files In Network Share	Windows Event Log Security 5145	T1537	Anomaly	Insider Threat, Hellcat Ransomware, Information Sabotage	2026-05-13
Detect RClone Command-Line Usage	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1020	TTP	DarkSide Ransomware, Cisco Network Visibility Module Analytics, Hellcat Ransomware, Storm-0501 Ransomware, Cactus Ransomware, Black Basta Ransomware, Ransomware	2026-05-13
Cisco NVM - Rclone Execution With Network Activity	Cisco Network Visibility Module Flow Data	T1567.002	Anomaly	Scattered Lapsus$ Hunters, Cisco Network Visibility Module Analytics	2026-05-13
High Volume of Bytes Out to Url	Nginx Access	T1567	Anomaly	Data Exfiltration, Hellcat Ransomware	2026-05-13
Plain HTTP POST Exfiltrated Data	Splunk Stream HTTP	T1048.003	TTP	Data Exfiltration, APT37 Rustonotto and FadeStealer, Command And Control	2026-05-13
Multiple Archive Files Http Post Traffic	Splunk Stream HTTP	T1048.003	TTP	Data Exfiltration, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Command And Control	2026-05-13
Cisco ASA - Device File Copy to Remote Location	Cisco ASA Logs	T1005 T1041 T1048.003	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Ollama Possible Model Exfiltration Data Leakage	Ollama Server	T1048	Anomaly	Suspicious Ollama Activities	2026-05-13
Gsuite Drive Share In External Email	G Suite Drive	T1567.002	Anomaly	Insider Threat, Scattered Lapsus$ Hunters, Dev Sec Ops	2026-05-13
AWS Exfiltration via Bucket Replication	AWS CloudTrail PutBucketReplication	T1537	TTP	Suspicious AWS S3 Activities, Data Exfiltration	2026-05-13
AWS Exfiltration via EC2 Snapshot	AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
O365 DLP Rule Triggered	Office 365 Universal Audit Log	T1048 T1567	Anomaly	Data Exfiltration	2026-05-13
AWS EC2 Snapshot Shared Externally	AWS CloudTrail ModifySnapshotAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
O365 Exfiltration via File Sync Download	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
AWS AMI Attribute Modification for Exfiltration	AWS CloudTrail ModifyImageAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
AWS S3 Exfiltration Behavior Identified		T1537	Correlation	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
ASL AWS EC2 Snapshot Shared Externally	ASL AWS CloudTrail	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
O365 Exfiltration via File Access	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
Gsuite Outbound Email With Attachment To External Domain	G Suite Gmail	T1048.003	Hunting	Insider Threat, Dev Sec Ops	2026-05-13
O365 Email Access By Security Administrator	Office 365 Universal Audit Log	T1114.002 T1567	TTP	Data Exfiltration, Azure Active Directory Account Takeover, Office 365 Account Takeover	2026-05-13
O365 Exfiltration via File Download	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
Prohibited Network Traffic Allowed	Cisco Secure Firewall Threat Defense Connection Event	T1048	TTP	Cisco Secure Firewall Threat Defense Analytics, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware, Command And Control	2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
DNS Query Length With High Standard Deviation	Sysmon EventID 22	T1048.003	Anomaly	Suspicious DNS Traffic, Hidden Cobra Malware, Command And Control	2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	ArcaneDoor, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Potential Data Exfiltration	Cisco Secure Firewall Threat Defense Connection Event	T1041 T1048.003 T1567.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration	Cisco IOS Logs	T1005 T1567	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Detect SNICat SNI Exfiltration		T1041	TTP	Data Exfiltration	2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence	Cisco Secure Firewall Threat Defense Connection Event	T1041 T1071.001 T1105 T1573.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Protocol or Port Mismatch	Cisco Secure Firewall Threat Defense Connection Event	T1048.003	Anomaly	Prohibited Traffic Allowed or Protocol Mismatch, Cisco Secure Firewall Threat Defense Analytics, Command And Control	2026-05-13
Detect Traffic Mirroring	Cisco IOS Logs	T1020.001 T1200 T1498	TTP	Router and Infrastructure Security	2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain	Cisco Secure Firewall Threat Defense Connection Event	T1071.001 T1090.002 T1105 T1567.002 T1588.002	Anomaly	Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics	2026-05-13