Detects the export of a crital Registry key to a file.

Read More

Detects the export of the target Registry key to a file.

Read More

Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors

Read More

Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.

Read More

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

Read More

Detects instances where a TFTP service on an OpenCanary node has had a request.

Read More

Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.

Read More

Detects suspicious DNS queries to Monero mining pools

Read More

Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

Read More

Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.

Read More

Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.

Read More

Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.

Read More

Detects suspicious user agent string of APT40 Dropbox tool

Read More

Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.

Read More

An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

Read More

Detects the change of database master password. It may be a part of data exfiltration.

Read More

Detects when a user tampers with S3 data management in Amazon Web Services.

Read More

Detects the modification of an EC2 snapshot's permissions to enable access from another account

Read More

Various protocols maybe used to put data on the device for exfil or infil

Read More

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Read More

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Read More

Detects a copy command or a copy utility execution to or from an Admin share or remote

Read More

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More

Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.

Read More

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

Read More

Detects the execution of the hdiutil utility in order to create a disk image.

Read More

Well-known DNS Exfiltration tools execution

Read More

Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes

Read More

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

Read More

Detects DNS queries for subdomains related to MEGA sharing website

Read More

Detects DNS queries for subdomains related to MEGA sharing website

Read More

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Read More

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Read More

Identifies IPs performing DNS lookups associated with common Tor proxies.

Read More

Detects email exfiltration via powershell cmdlets

Read More

Detects when a user performs data exfiltration by using DataSvcUtil.exe

Read More

Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.

Read More

Detects potential exfiltration attempt via audio file using PowerShell

Read More

DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel

Read More

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

Read More

Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.

Read More

Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.

Read More

Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Read More

Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc

Read More

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

Read More

Detects Rclone config files being created

Read More

Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

Read More

Detection use of the command "split" to split files into parts and possible transfer.

Read More

Detection use of the command "split" to split files into parts and possible transfer.

Read More

Detects a suspicious curl process start the adds a file to a web request

Read More

Detects suspicious DNS queries using base64 encoding

Read More

Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.

Read More

Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.

Read More

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Read More

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Read More

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Read More

Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.

Read More

Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers

Read More

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Read More

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397

Read More

Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication

Read More

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Read More

Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.

Read More

Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques

Read More

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).

Read More

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

Read More

Detection of a exfiltration activity using rclone from Windows network shares using SMB.

Read More

Detects DNS queries for subdomains used for upload to ufile.io

Read More

Detects process execution of RClone or similar tools used by ransomware operators to exfiltrate data.

Read More

Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.

Read More

High DNS queries bytes amount from host per short period of time

Read More

High DNS queries bytes amount from host per short period of time

Read More

High DNS requests amount from host per short period of time

Read More

High DNS requests amount from host per short period of time

Read More

Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution

Read More

Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution

Read More

Detects large DNS domain names

Read More

Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.

Read More

This rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body

Read More

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Read More