Tactic: Exfiltration

First Time Seen Removable Device

Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Initial Access Tactic: Exfiltration Data Source: Elastic Endgame Data Source: Elastic Defend ·

Share on:

Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.

AWS EC2 Full Network Packet Capture Detected

Jun 22, 2023 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Use Case: Network Security Monitoring Tactic: Exfiltration Tactic: Collection ·

Share on:

Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.

AWS EC2 Snapshot Activity

Jun 22, 2023 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Use Case: Asset Visibility Tactic: Exfiltration Resources: Investigation Guide ·

Share on:

An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.

AWS EC2 VM Export Failure

Jun 22, 2023 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Use Case: Asset Visibility Tactic: Exfiltration Tactic: Collection ·

Share on:

Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.

AWS RDS Snapshot Export

Jun 22, 2023 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Use Case: Asset Visibility Tactic: Exfiltration ·

Share on:

Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.

GCP Logging Sink Modification

Jun 22, 2023 · Domain: Cloud Data Source: GCP Data Source: Google Cloud Platform Use Case: Log Auditing Tactic: Exfiltration ·

Share on:

Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.

Microsoft 365 Exchange Transport Rule Creation

Jun 22, 2023 · Domain: Cloud Data Source: Microsoft 365 Use Case: Configuration Audit Tactic: Exfiltration ·

Share on:

Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.

Microsoft 365 Exchange Transport Rule Modification

Jun 22, 2023 · Domain: Cloud Data Source: Microsoft 365 Use Case: Configuration Audit Tactic: Exfiltration ·

Share on:

Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.

Microsoft 365 Mass download by a single user

Jun 22, 2023 · Domain: Cloud Data Source: Microsoft 365 Use Case: Configuration Audit Tactic: Exfiltration ·

Share on:

Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute.