Sigma Rules
121 rules found for "exfiltration"
Github Fork Private Repositories Setting Enabled/Cleared
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
GitHub Repository Pages Site Changed to Public
Detects when a GitHub Pages site of a repository is made public. This usually is part of a publishing process but could indicate or lead to potential unauthorized exposure of sensitive information or code.
Github Repository/Organization Transferred
Detects when a repository or an organization is being transferred to another location.
OpenCanary - FTP Login Attempt
Detects instances where an FTP service on an OpenCanary node has had a login attempt.
OpenCanary - TFTP Request
Detects instances where a TFTP service on an OpenCanary node has had a request.
Suspicious SQL Query
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
AWS EC2 VM Export Failure
An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
AWS RDS Master Password Change
Detects the change of database master password. It may be a part of data exfiltration.
Modification or Deletion of an AWS RDS Cluster
Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
Restore Public AWS RDS Instance
Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
AWS S3 Data Management Tampering
Detects when a user tampers with S3 data management in Amazon Web Services.
AWS Snapshot Backup Exfiltration
Detects the modification of an EC2 snapshot's permissions to enable access from another account
Multifactor Authentication Denied
User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
Data Exfiltration to Unsanctioned Apps
Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
Suspicious Inbox Forwarding
Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
Suspicious OAuth App File Download Activities
Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
Data Compressed
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Data Exfiltration with Wget
Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
Split A File Into Pieces - Linux
Detection use of the command "split" to split files into parts and possible transfer.
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Python WebServer Execution - Linux
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
Suspicious Curl File Upload - Linux
Detects a suspicious curl process start the adds a file to a web request
Disk Image Creation Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to create a disk image.
Split A File Into Pieces
Detection use of the command "split" to split files into parts and possible transfer.
Cisco Stage Data
Various protocols maybe used to put data on the device for exfil or infil
Monero Crypto Coin Mining Pool Lookup
Detects suspicious DNS queries to Monero mining pools
Suspicious DNS Query with B64 Encoded String
Detects suspicious DNS queries using base64 encoding
DNS TOR Proxies
Identifies IPs performing DNS lookups associated with common Tor proxies.
WebDav Put Request
A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
Rclone Activity via Proxy
Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
Suspicious Windows Strings In URI
Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
MSSQL Destructive Query
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
DNS Query To MEGA Hosting Website - DNS Client
Detects DNS queries for subdomains related to MEGA sharing website
DNS Query To Ufile.io - DNS Client
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
Tap Driver Installation - Security
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
Tap Driver Installation
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
DNS Query To AzureWebsites.NET By Non-Browser Process
Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
DNS Query To MEGA Hosting Website
Detects DNS queries for subdomains related to MEGA sharing website
DNS Query To Ufile.io
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
DNS Query To Visual Studio Code Tunnels Domain
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
EVTX Created In Uncommon Location
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
NTDS Exfiltration Filename Patterns
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
Rclone Config File Creation
Detects Rclone config files being created
Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
Network Connection Initiated To BTunnels Domains
Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.