SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations

Exfiltration (TA0010)

Sub-technique: T1041 - Exfiltration Over C2 Channel

Objective: Detect data exfiltration over command and control channels.

  1. Detect Large Data Transfers to Unknown IPs

DeviceNetworkEvents | where BytesSent > 1000000 | summarize count() by RemoteIP, LocalIP | where count() > 10

//Extended search
DeviceNetworkEvents
| where InitiatingProcessFileSize > 1000000
| summarize EventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFileSize
| where EventCount > 10

Purpose: Identify large data transfers to unknown IP addresses.

  1. Monitor for DNS-Based Exfiltration

DeviceNetworkEvents
| where RemotePort == 53
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 100
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Detect DNS-based exfiltration.

  1. Detect HTTP POST Requests Used for Exfiltration

DeviceNetworkEvents
| where RemotePort == 80 or RemotePort == 443
| where RemoteIP has "POST"
| project Timestamp, DeviceName, RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessFileName
| order by Timestamp desc

Purpose: Monitor for HTTP POST requests used to exfiltrate data.

  1. Monitor for Data Exfiltration via Cloud Storage

let cloud_storage_ip_list = dynamic(["IP1", "IP2", "IP3"]); // Replace with actual IPs
DeviceNetworkEvents
| where RemoteIP in (cloud_storage_ip_list)
| summarize eventCount = count() by RemoteIP, LocalIP
| where eventCount > 50
| project RemoteIP, LocalIP, eventCount

Purpose: Identify data uploads to cloud storage services.

  1. Detect Exfiltration via FTP

DeviceNetworkEvents
| where RemotePort == 21
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 10
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Detect large data transfers over FTP.

  1. Monitor for Email-Based Exfiltration

DeviceNetworkEvents
| where RemotePort == 25 or RemotePort == 587
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 10
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Identify data exfiltration attempts via email.

  1. Detect Use of Encrypted Channels for Exfiltration

DeviceNetworkEvents
| where RemotePort == 443 or RemotePort == 22
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 10
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Monitor for data exfiltration over encrypted channels.

  1. Identify Data Exfiltration via WebSocket

DeviceNetworkEvents
| where RemotePort == 443
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessFileName, Timestamp, DeviceName
| where eventCount > 10
| project Timestamp, DeviceName, RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessFileName
| order by Timestamp desc

Purpose: Detect WebSocket connections used for exfiltration.

  1. Monitor for Data Exfiltration via Network Shares

DeviceNetworkEvents
| where RemotePort == 445
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 20
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Identify data exfiltration via network shares.

  1. Detect Use of Unknown Protocols for Exfiltration

DeviceNetworkEvents
| where Protocol !in~ ("TCP", "UDP", "ICMP", "TcpV4", "", "TcpV6", "Kerberos")
| summarize eventCount = count() by Protocol, RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 10
| project Protocol, RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Monitor for exfiltration over unknown or unusual protocols.

PreviousCommand and Control (TA0011)NextImpact (TA0040)

Last updated