Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration

Detects a suspicious curl process start the adds a file to a web request

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).

Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.

Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.

Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc

Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques

Well-known DNS Exfiltration tools execution

Detects email exfiltration via powershell cmdlets

Detects the export of a crital Registry key to a file.

Detects a suspicious copy command to or from an Admin share or remote

Detects the export of the target Registry key to a file.

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

Detects DNS queries for subdomains used for upload to MEGA.io

Detects DNS queries to "ufile.io". Which is often abused by malware for upload and exfiltration

Detects potential exfiltration attempt via audio file using PowerShell

Detects suspicious DNS queries using base64 encoding

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.

Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication

Detects suspicious user agent string of APT40 Dropbox tool

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel

Detects DNS queries for subdomains used for upload to MEGA.io

Detects DNS queries to "ufile.io". Which is often abused by malware for upload and exfiltration

Identifies IPs performing DNS lookups associated with common Tor proxies.

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

Detects the modification of an EC2 snapshot's permissions to enable access from another account

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Detection of a exfiltration activity using rclone from Windows network shares using SMB.

Detects DNS queries for subdomains used for upload to ufile.io

Various protocols maybe used to put data on the device for exfil or infil

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Dnscat exfiltration tool execution

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Detection use of the command "split" to split files into parts and possible transfer.

Execution of well known tools for data exfiltration and tunneling

Detects when a user performs data exfiltration by using DataSvcUtil.exe

Upload file, credentials or data exfiltration with Binary part of Windows Defender