Edit

Exfiltration (TA0010)

Sub-technique: T1041 - Exfiltration Over C2 Channel

Objective: Detect data exfiltration over command and control channels.

  1. Detect Large Data Transfers to Unknown IPs

DeviceNetworkEvents | where BytesSent > 1000000 | summarize count() by RemoteIP, LocalIP | where count() > 10

//Extended search
DeviceNetworkEvents
| where InitiatingProcessFileSize > 1000000
| summarize EventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFileSize
| where EventCount > 10

Purpose: Identify large data transfers to unknown IP addresses.

  1. Monitor for DNS-Based Exfiltration

DeviceNetworkEvents
| where RemotePort == 53
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 100
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Detect DNS-based exfiltration.

  1. Detect HTTP POST Requests Used for Exfiltration

Purpose: Monitor for HTTP POST requests used to exfiltrate data.

  1. Monitor for Data Exfiltration via Cloud Storage

Purpose: Identify data uploads to cloud storage services.

  1. Detect Exfiltration via FTP

Purpose: Detect large data transfers over FTP.

  1. Monitor for Email-Based Exfiltration

Purpose: Identify data exfiltration attempts via email.

  1. Detect Use of Encrypted Channels for Exfiltration

Purpose: Monitor for data exfiltration over encrypted channels.

  1. Identify Data Exfiltration via WebSocket

Purpose: Detect WebSocket connections used for exfiltration.

  1. Monitor for Data Exfiltration via Network Shares

Purpose: Identify data exfiltration via network shares.

  1. Detect Use of Unknown Protocols for Exfiltration

Purpose: Monitor for exfiltration over unknown or unusual protocols.

PreviousCommand and Control (TA0011)NextImpact (TA0040)

Last updated