attack.exfiltration

Suspicious ConfigSecurityPolicy Execution
level
status experimental

Upload file, credentials or data exfiltration with Binary part of Windows Defender

Data Exfiltration with Wget
level
status experimental

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

Rclone Execution via Command Line or PowerShell
level
status deprecated

Detects Rclone which is commonly used by ransomware groups for exfiltration

RClone Execution
level
status deprecated

Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc

LOLBAS Data Exfiltration by DataSvcUtil.exe
level
status experimental

Detects when a user performs data exfiltration by using DataSvcUtil.exe

Suspicious Bitstransfer via PowerShell
level
status experimental

Detects transferring files from system on a server bitstransfer Powershell cmdlets

AWS S3 Data Management Tampering
level
status experimental

Detects when a user tampers with S3 data management in Amazon Web Services.

Restore Public AWS RDS Instance
level
status experimental

Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

AWS RDS Master Password Change
level
status experimental

Detects the change of database master password. It may be a part of data exfiltration.

AWS EC2 Download Userdata
level
status experimental

Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.

Copy from Admin Share
level
status test

Detects a suspicious copy command to or from an Admin share

Cisco Stage Data
level
status test

Various protocols maybe used to put data on the device for exfil or infil

Tap Installer Execution
level
status test

Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques

Tap Driver Installation
level
status experimental

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

High TXT Records Requests Rate
level
status test

Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution

High NULL Records Requests Rate
level
status test

Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution

High DNS Requests Rate
level
status experimental

High DNS requests amount from host per short period of time

High DNS Requests Rate
level
status experimental

High DNS requests amount from host per short period of time

High DNS Bytes Out
level
status experimental

High DNS queries bytes amount from host per short period of time

High DNS Bytes Out
level
status experimental

High DNS queries bytes amount from host per short period of time

Exfiltration and Tunneling Tools Execution
level
status test

Execution of well known tools for data exfiltration and tunneling

Dnscat Execution
level
status experimental

Dnscat exfiltration tool execution

Data Compressed - PowerShell
level
status experimental

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Data Compressed
level
status test

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Possible DNS Tunneling
level
status test

Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.

Suspicious DNS Query with B64 Encoded String
level
status experimental

Detects suspicious DNS queries using base64 encoding

Microsoft Binary Github Communication
level
status test

Detects an executable in the Windows folder accessing github.com

Windows PowerShell Upload Web Request
level
status experimental

Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command

WebDav Put Request
level
status test

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

Suspicious WebDav Client Execution
level
status test

A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).

Suspicious Outbound SMTP Connections
level
status experimental

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Suspicious OAuth App File Download Activities
level
status experimental

Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.

Suspicious Inbox Forwarding
level
status experimental

Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.

Suspicious Curl File Upload
level
status test

Detects a suspicious curl process start the adds a file to a web request

Split A File Into Pieces
level
status test

Detection use of the command “split” to split files into parts and possible transfer.

Split A File Into Pieces
level
status test

Detection use of the command “split” to split files into parts and possible transfer.

Rclone Config File Creation
level
status experimental

Detects Rclone config file being created

PowerShell ICMP Exfiltration
level
status experimental

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

Powershell Exfiltration Over SMTP
level
status experimental

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Exports Registry Key To a File
level
status test

Detects the export of the target Registry key to a file.

Exports Critical Registry Keys To a File
level
status test

Detects the export of a crital Registry key to a file.

DNS Query for MEGA.io Upload Domain
level
status experimental

Detects DNS queries for subdomains used for upload to MEGA.io

Data Exfiltration to Unsanctioned Apps
level
status experimental

Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.

Communication To Mega.nz
level
status experimental

Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors

AWS Snapshot Backup Exfiltration
level
status test

Detects the modification of an EC2 snapshot’s permissions to enable access from another account

AWS EC2 VM Export Failure
level
status experimental

An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

APT40 Dropbox Tool User Agent
level
status test

Detects suspicious user agent string of APT40 Dropbox tool

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.