One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations

Detects dump of credentials in VeeamBackup dbo

Detects attempts to discover the files with setuid/setgid capabilitiy on them. That would allow adversary to escalate their privileges.

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Detects a command used by conti to dump database

Detects a command used by conti to exfiltrate NTDS

Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Adversaries may log user keystrokes to intercept credentials as the user types them.

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Once established within a system or network, an adversary may use automated techniques for collecting internal data

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration

Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.

Detects a suspicious copy command to or from an Admin share

Various protocols maybe used to put data on the device for exfil or infil

Collect pertinent data from the configuration files

Detect attacker collecting audio via SoundRecorder application.

Detects audio capture via PowerShell Cmdlet.

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

The psr.exe captures desktop screenshots and saves them on the local machine

Detects suspicious command line arguments of common data compression tools

Detects URL pattern used by iOS Implant

A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.

Detects Processes accessing the camera and microphone from suspicious folder

Detects known sensitive file extensions via Zeek

Detects known sensitive file extensions accessed on a network share

Detects attempts to use screencapture to collect macOS screenshots

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

Potential adversaries accessing the microphone and webcam in an endpoint.

Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

Detects attempts to record audio with arecord utility

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.