Exfiltration (TA0010)

Sub-technique: T1041 - Exfiltration Over C2 Channel

Objective: Detect data exfiltration over command and control channels.

Detect Large Data Transfers to Unknown IPs

DeviceNetworkEvents | where BytesSent > 1000000 | summarize count() by RemoteIP, LocalIP | where count() > 10

//Extended search
DeviceNetworkEvents
| where InitiatingProcessFileSize > 1000000
| summarize EventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFileSize
| where EventCount > 10

Purpose: Identify large data transfers to unknown IP addresses.

Monitor for DNS-Based Exfiltration

DeviceNetworkEvents
| where RemotePort == 53
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 100
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Detect DNS-based exfiltration.

Detect HTTP POST Requests Used for Exfiltration

DeviceNetworkEvents
| where RemotePort == 80 or RemotePort == 443
| where RemoteIP has "POST"
| project Timestamp, DeviceName, RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessFileName
| order by Timestamp desc

Purpose: Monitor for HTTP POST requests used to exfiltrate data.

Monitor for Data Exfiltration via Cloud Storage

let cloud_storage_ip_list = dynamic(["IP1", "IP2", "IP3"]); // Replace with actual IPs
DeviceNetworkEvents
| where RemoteIP in (cloud_storage_ip_list)
| summarize eventCount = count() by RemoteIP, LocalIP
| where eventCount > 50
| project RemoteIP, LocalIP, eventCount

Purpose: Identify data uploads to cloud storage services.

Detect Exfiltration via FTP

DeviceNetworkEvents
| where RemotePort == 21
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 10
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Detect large data transfers over FTP.

Monitor for Email-Based Exfiltration

DeviceNetworkEvents
| where RemotePort == 25 or RemotePort == 587
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 10
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Identify data exfiltration attempts via email.

Detect Use of Encrypted Channels for Exfiltration

DeviceNetworkEvents
| where RemotePort == 443 or RemotePort == 22
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 10
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Monitor for data exfiltration over encrypted channels.

Identify Data Exfiltration via WebSocket

DeviceNetworkEvents
| where RemotePort == 443
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessFileName, Timestamp, DeviceName
| where eventCount > 10
| project Timestamp, DeviceName, RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessFileName
| order by Timestamp desc

Purpose: Detect WebSocket connections used for exfiltration.

Monitor for Data Exfiltration via Network Shares

DeviceNetworkEvents
| where RemotePort == 445
| summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 20
| project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Identify data exfiltration via network shares.

Detect Use of Unknown Protocols for Exfiltration

DeviceNetworkEvents
| where Protocol !in~ ("TCP", "UDP", "ICMP", "TcpV4", "", "TcpV6", "Kerberos")
| summarize eventCount = count() by Protocol, RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| where eventCount > 10
| project Protocol, RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName
| order by eventCount desc

Purpose: Monitor for exfiltration over unknown or unusual protocols.

PreviousCommand and Control (TA0011)NextImpact (TA0040)

Last updated 3 months ago

DeviceNetworkEvents | where BytesSent > 1000000 | summarize count() by RemoteIP, LocalIP | where count() > 10 //Extended search DeviceNetworkEvents | where InitiatingProcessFileSize > 1000000 | summarize EventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFileSize | where EventCount > 10

DeviceNetworkEvents | where RemotePort == 53 | summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | where eventCount > 100 | project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | order by eventCount desc

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where RemoteIP has "POST" | project Timestamp, DeviceName, RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessFileName | order by Timestamp desc

let cloud_storage_ip_list = dynamic(["IP1", "IP2", "IP3"]); // Replace with actual IPs DeviceNetworkEvents | where RemoteIP in (cloud_storage_ip_list) | summarize eventCount = count() by RemoteIP, LocalIP | where eventCount > 50 | project RemoteIP, LocalIP, eventCount

DeviceNetworkEvents | where RemotePort == 21 | summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | where eventCount > 10 | project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | order by eventCount desc

DeviceNetworkEvents | where RemotePort == 25 or RemotePort == 587 | summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | where eventCount > 10 | project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | order by eventCount desc

DeviceNetworkEvents | where RemotePort == 443 or RemotePort == 22 | summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | where eventCount > 10 | project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | order by eventCount desc

DeviceNetworkEvents | where RemotePort == 443 | summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessFileName, Timestamp, DeviceName | where eventCount > 10 | project Timestamp, DeviceName, RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessFileName | order by Timestamp desc

DeviceNetworkEvents | where RemotePort == 445 | summarize eventCount = count() by RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | where eventCount > 20 | project RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | order by eventCount desc

DeviceNetworkEvents | where Protocol !in~ ("TCP", "UDP", "ICMP", "TcpV4", "", "TcpV6", "Kerberos") | summarize eventCount = count() by Protocol, RemoteIP, LocalIP, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | where eventCount > 10 | project Protocol, RemoteIP, LocalIP, eventCount, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName | order by eventCount desc