hunting-for-data-exfiltration-indicators
SKILL.md
Hunting for Data Exfiltration Indicators
When to Use
- When hunting for data theft in compromised environments
- After detecting unusual outbound data volumes or patterns
- When investigating potential insider threat data theft
- During incident response to determine what data was stolen
- When threat intel indicates data exfiltration campaigns targeting your sector
Prerequisites
- Network proxy/firewall logs with byte-level data transfer metrics
- DLP solution or CASB with cloud upload visibility
- DNS query logs for DNS exfiltration detection
- Email gateway logs for attachment monitoring
- SIEM with data volume anomaly detection capabilities
Workflow
- Define Exfiltration Channels: Identify potential channels (HTTP/S uploads, DNS tunneling, email attachments, cloud storage, removable media, encrypted protocols).
- Baseline Normal Data Flows: Establish baseline outbound data transfer volumes per user, host, and destination over a 30-day window.
- Detect Volume Anomalies: Identify hosts or users transferring significantly more data than baseline to external destinations.
- Analyze Transfer Destinations: Check destination domains/IPs against threat intel, identify newly registered domains, personal cloud storage, and foreign infrastructure.
- Inspect Protocol Abuse: Look for DNS tunneling (large/frequent TXT queries), ICMP tunneling, or data hidden in allowed protocols.
- Correlate with File Access: Link exfiltration indicators to file access events on sensitive file shares, databases, or repositories.
- Report and Contain: Document findings with evidence, estimate data exposure, and recommend containment actions.
Key Concepts
| Concept | Description |
|---|---|
| T1041 | Exfiltration Over C2 Channel |
| T1048 | Exfiltration Over Alternative Protocol |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 |
| T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 |
| T1567 | Exfiltration Over Web Service |
| T1567.002 | Exfiltration to Cloud Storage |
| T1052 | Exfiltration Over Physical Medium |
| T1029 | Scheduled Transfer |
| T1030 | Data Transfer Size Limits (staging) |
| T1537 | Transfer Data to Cloud Account |
| T1020 | Automated Exfiltration |
Tools & Systems
| Tool | Purpose |
|---|---|
| Splunk | SIEM for data volume analysis and SPL queries |
| Zeek | Network metadata for data flow analysis |
| Microsoft Defender for Cloud Apps | CASB for cloud exfiltration |
| Netskope | Cloud DLP and exfiltration detection |
| Suricata | Network IDS for protocol anomaly detection |
| RITA | DNS exfiltration and beacon detection |
| ExtraHop | Network traffic analysis for data flow |
Common Scenarios
- Cloud Storage Exfiltration: User uploads sensitive documents to personal Google Drive or Dropbox via browser.
- DNS Tunneling: Malware exfiltrates data encoded in DNS subdomain queries to attacker-controlled nameserver.
- HTTPS Upload: Compromised system POSTs large data blobs to C2 server over encrypted HTTPS.
- Email Attachment Exfiltration: Insider forwards sensitive documents to personal email accounts.
- Staging and Compression: Adversary stages data in compressed archives before slow exfiltration to avoid detection.
Output Format
Hunt ID: TH-EXFIL-[DATE]-[SEQ]
Exfiltration Channel: [HTTP/DNS/Email/Cloud/USB]
Source: [Host/User]
Destination: [Domain/IP/Service]
Data Volume: [Bytes/MB/GB]
Time Period: [Start - End]
Protocol: [HTTPS/DNS/SMTP/SMB]
Files Involved: [Count/Types]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Weekly Installs
2
Repository
mukul975/anthro…y-skillsGitHub Stars
2.4K
First Seen
3 days ago
Security Audits
Installed on
amp2
cline2
opencode2
cursor2
kimi-cli2
codex2