SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations

Data Theft (MITRE ATT&CK: T1041, T1071)

Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.

Data Theft (MITRE ATT&CK: T1041, T1071)

Overview:

Data theft involves the exfiltration of sensitive information from compromised systems. Attackers often use network-based techniques or built-in tools to exfiltrate data to external servers.

25 Example Queries for Data Theft Detection:

  1. Monitor Data Exfiltration via FTP (Port 21) FTP is commonly used for data exfiltration to external servers.

DeviceNetworkEvents | where RemotePort == 21 and ActionType == "ConnectionSuccess" | summarize count() by DeviceName, RemoteIP

  1. Detect HTTP POST Requests to External Servers Data exfiltration often occurs via HTTP POST requests.

DeviceNetworkEvents | where HttpMethod == "POST" and RemoteIP not in (expected_ips) | summarize count() by DeviceName, RemoteIP, HttpMethod

  1. Track Unusual Data Transfers Over SMB (File Copying) Data may be exfiltrated over SMB by copying sensitive files.

DeviceNetworkEvents | where RemotePort == 445 and ActionType == "FileCopy" | summarize count() by DeviceName, RemoteIP, FileShare

  1. Monitor Use of Cloud Storage Services for Data Exfiltration Attackers may use cloud services (e.g., Dropbox, Google Drive) to exfiltrate data.

DeviceNetworkEvents | where RemoteUrl contains "dropbox.com" or RemoteUrl contains "drive.google.com" | summarize count() by DeviceName, RemoteUrl

  1. Detect Use of PowerShell for File Uploads (Invoke-WebRequest) PowerShell scripts may use Invoke-WebRequest to exfiltrate data.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Invoke-WebRequest" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track Data Exfiltration Attempts Over DNS (DNS Tunneling) DNS tunneling is used to exfiltrate data over DNS queries.

DeviceNetworkEvents | where DnsQueryType == "TXT" and RemoteIP not in (expected_ips) | summarize count() by DeviceName, RemoteIP

  1. Monitor Outbound Traffic to Suspicious IPs (External C2) Outbound traffic to suspicious or external IP addresses may indicate data exfiltration.

DeviceNetworkEvents | where RemoteIP not in (expected_ips) and ActionType == "ConnectionSuccess" | summarize count() by DeviceName, RemoteIP

  1. Detect Large Data Transfers Over Non-Standard Ports Unusually large data transfers over non-standard ports may indicate exfiltration.

DeviceNetworkEvents | where BytesSent > 1000000 and RemotePort between (1024 .. 65535) | summarize count() by DeviceName, RemoteIP, BytesSent

  1. Monitor Use of File Transfer Protocols (SFTP, SCP) for Data Exfiltration SFTP and SCP are commonly used for secure file transfers and may be abused for data exfiltration.

DeviceNetworkEvents | where RemotePort in (22, 443) and ActionType == "FileTransfer" | summarize count() by DeviceName, RemoteIP, RemotePort

  1. Track Data Exfiltration via Email (Suspicious Attachments) Data may be exfiltrated by sending sensitive files as email attachments.

DeviceProcessEvents | where FileName == "outlook.exe" and ProcessCommandLine has "attachment" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect Data Transfers via HTTP PUT Requests HTTP PUT requests may be used to upload data to external servers.

DeviceNetworkEvents | where HttpMethod == "PUT" and RemoteIP not in (expected_ips) | summarize count() by DeviceName, RemoteIP, HttpMethod

  1. Monitor Large Data Transfers Over RDP (Clipboard Sharing) RDP clipboard sharing may be used to exfiltrate data during remote sessions.

DeviceLogonEvents | where LogonType == "RemoteInteractive" and ClipboardDataSize > 500000 | summarize count() by AccountName, DeviceName, RemoteIP, ClipboardDataSize

  1. Track Use of USB Storage Devices for Data Exfiltration USB storage devices may be used to copy sensitive data for exfiltration.

DeviceFileEvents | where ActionType == "FileCopy" and DeviceType == "USB" | summarize count() by DeviceName, FileName, FolderPath

  1. Detect Use of Encrypted Channels for Data Exfiltration (TLS/SSL) Encrypted communication channels may be used to hide data exfiltration.

DeviceNetworkEvents | where RemotePort == 443 and BytesSent > 1000000 | summarize count() by DeviceName, RemoteIP, BytesSent

  1. Monitor File Transfers to External FTP Servers FTP servers may be used to store exfiltrated data.

DeviceNetworkEvents | where RemotePort == 21 and ActionType == "FileTransfer" | summarize count() by DeviceName, RemoteIP, BytesSent

  1. Detect Use of OneDrive for Data Exfiltration OneDrive may be used to store sensitive files outside of the corporate network.

DeviceNetworkEvents | where RemoteUrl contains "onedrive.live.com" | summarize count() by DeviceName, RemoteUrl, BytesSent

  1. Track Use of Unapproved Cloud Storage Providers (e.g., Box) Data may be exfiltrated to unapproved cloud storage services like Box.

DeviceNetworkEvents | where RemoteUrl contains "box.com" | summarize count() by DeviceName, RemoteUrl, BytesSent

  1. Monitor Data Exfiltration via VPN Services VPN services may be used to hide data exfiltration activities.

DeviceNetworkEvents | where RemotePort == 1194 or RemotePort == 443 and RemoteIP not in (expected_ips) | summarize count() by DeviceName, RemoteIP, RemotePort

  1. Detect Large Data Transfers Over ICMP (Ping Flooding) ICMP packets can be used to exfiltrate data in a covert manner.

DeviceNetworkEvents | where Protocol == "ICMP" and BytesSent > 100000 | summarize count() by DeviceName, RemoteIP

  1. Track the Use of Data Compression Tools (e.g., 7-Zip) for Exfiltration Attackers may compress files before exfiltrating them to reduce detection.

DeviceProcessEvents | where FileName == "7z.exe" or ProcessCommandLine has "compress" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Use of Secure Shell (SSH) for Data Exfiltration SSH connections may be used to exfiltrate data in a secure manner.

DeviceNetworkEvents | where RemotePort == 22 and BytesSent > 100000 | summarize count() by DeviceName, RemoteIP

  1. Detect Use of WebDAV for Data Exfiltration WebDAV is a protocol that may be used for file transfer and data exfiltration.

DeviceNetworkEvents | where RemoteUrl contains "webdav" and BytesSent > 100000 | summarize count() by DeviceName, RemoteUrl, BytesSent

  1. Track Use of File Transfer Applications (e.g., FileZilla) File transfer applications may be used to exfiltrate data.

DeviceProcessEvents | where FileName == "filezilla.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor for Unusual Data Exfiltration via Secure File Transfer (HTTPS) HTTPS may be used to hide data exfiltration in encrypted traffic.

DeviceNetworkEvents | where RemotePort == 443 and BytesSent > 1000000 | summarize count() by DeviceName, RemoteIP, BytesSent

  1. Detect Use of Unapproved Email Clients for Data Exfiltration Unapproved email clients may be used to send sensitive data externally.

DeviceProcessEvents | where FileName in ("thunderbird.exe", "eudora.exe") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
PreviousLateral Movement (MITRE ATT&CK: T1076, T1021)NextDetecting CommandLine Executions (MITRE ATT&CK: T1059)

Last updated