Detect Data Exfiltration Techniques with Falcon Next-Gen SIEM

Adversaries may tamper with organizations’ infrastructure to facilitate data exfiltration. Some examples include:It is essential to recognize the warning signs of data exfiltration in order to contain its effects. These can easily translate into investigative action points or threat hunting leads. Let’s go through some key behavior patterns associated with an exfiltration operation.

Understanding Exfiltration Techniques

See Falcon Next-Gen SIEM in action in these fast-paced demos.

Cloud-Based Exfiltration

Sensitive data theft is among adversaries’ most common goals. For defenders, data exfiltration can lead to the compromise of customer data, public exposure of trade secrets, and potentially permanent business and reputational damage. Victims of data exfiltration may also face legal issues for non-compliance with data protection laws. This must be a top concern for businesses.

Cloud storage services: Adversaries may use cloud storage services such as Dropbox, Google Drive, or OneDrive to exfiltrate data. These services typically use protocols like HTTPS, making it difficult to detect malicious activity. Furthermore, if the adversary has remote desktop (RDP) access to an infected system, they can use pre-installed applications such as web browsers or file-sharing clients to upload data, making detection even more challenging.
Cloud-based email services: Adversaries may also use cloud-based email services such as Gmail, Outlook, or Yahoo Mail to exfiltrate data. Email services typically use common protocols like SMTP, IMAP, or POP3, making it difficult to distinguish between legitimate and malicious email activity. If the adversary has access to the infected system’s email client or web-based email interface, they can use pre-existing email accounts or create new ones to send data to external email addresses.
Cloud-based data migration services: Although normally used for administrative tasks, adversaries with unauthorized access may abuse cloud data migration services to transfer unauthorized data from a private location to a location in the adversary’s control, leading to data compromise.

CrowdStrike Services responded to an incident involving INDRIK SPIDER and BITWISE SPIDER’s LockBit RED ransomware. During this incident, INDRIK SPIDER exfiltrated credentials from the cloud-based credential manager Azure Key Vault. This example highlights the growing trend of ransomware groups using data exfiltration to increase pressure on victims.

Network-Based Exfiltration

In all cases, correlation of endpoint and network events at scale is crucial to detecting and preventing exfiltration.

Exfiltration over alternative protocols, such as HTTP, FTP, or DNS, which can make it difficult to distinguish between legitimate and malicious traffic
Exfiltration over command-and-control (C2) channels, which can be used to transmit data back to the attacker’s server

To detect these patterns, one would generally look to outbound traffic to external unknown or otherwise suspicious destinations.

Physical Media-Based Exfiltration

As an example, the following CQL query identifies outbound ICMP traffic exceeding 5MB per hour:

USB drives and removable media: Adversaries may use USB drives or other removable media to exfiltrate data. This can be done by simply plugging in a USB drive and copying sensitive data, or by using more sophisticated techniques like USB-based malware.
Printed or written documents: Adversaries may use printed or written documents to exfiltrate data. This can be done by printing sensitive information and physically removing it from the premises, or by writing down sensitive information and transmitting it through other means.

Physical media-based exfiltration involves the use of physical devices or media to exfiltrate data. This type of exfiltration is often associated with, but not limited to, insider threats, as it requires physical access to the device or media. Common patterns include:

Real-World Examples

For example, the following CrowdStrike Query Language (CQL) query identifies attempts to change the attributes of an AWS Amazon Machine Image (AMI), such as sharing it publicly or with another AWS account.

SCATTERED SPIDER: Cloud-Conscious Exfiltration

defineTable( query={ #event_simpleName="UserLogon" LogonType=10 | bucket(field=["UserName", "LogonServer"], span=1h, function=count(as=hourly_login_count), limit=500) | hourly_login_count > 0 | groupBy(["UserName", "LogonServer"], function=[ avg(hourly_login_count, as=hourly_average_login_count), stdDev(hourly_login_count, as=hourly_stddev_login_count) ]) }, include=[*], name="user_login_baseline", start=7d, end=1h ) | #event_simpleName=UserLogon LogonType=10 | groupBy(["UserName", "LogonServer"], function=[count(field="AuthenticationId", as=total_logins, distinct=true)]) | match(file="user_login_baseline", field=["UserName", "LogonServer"], strict=false) | threshold := hourly_average_login_count + (2.5 * hourly_stddev_login_count) | case { threshold!=* | threshold := "0"; // User not in baseline *; } | test(total_logins>threshold)

Physical Medium Patterns

#repo="base_sensor" | (#event_simpleName="DcUsbDeviceConnected") OR (#event_simpleName=/(.*)FileWritten$/ IsOnRemovableDisk=1) | DeviceId := DeviceInstanceId | DeviceId := DiskParentDeviceInstanceId // // Allowlist for known Device IDs // | DeviceId!=/XYZ/ // | selfJoinFilter([aid, DeviceId], where=[ { #event_simpleName=DcUsbDeviceConnected }, { #event_simpleName=/(.*)FileWritten$/ IsOnRemovableDisk=1 } ] ) | ReadableEventTime := formatTime("%Y-%m-%dT %H:%M:%S", field=@timestamp, locale=en_US) | case{ #event_simpleName=*FileWritten | FileSizeKB:= unit:convert(Size, binary=true, to=k) | format("%,d KB",field=["FileSizeKB"], as="FileSizeKB") | format("%s - %s (%s)", field=[ReadableEventTime, FileName,FileSizeKB], as=FileDetails);


  #event_simpleName=DcUsbDeviceConnected

| format("%s, %s, %s",field=[DeviceProduct, DeviceManufacturer, DevicePropertyClassName], as=DeviceInformation);
   *;

}

// Perform aggregation

| groupBy([aid, DeviceId],

function=([

collect([ComputerName, DeviceInformation, FileDetails])

])

)

| drop([DeviceId])

// Perform aggregation | groupBy([aid, DeviceId], function=([ collect([ComputerName, DevicePropertyClassName, DeviceManufacturer, DeviceProduct, FileDetails]) ]) )

Detect Exfiltration Attacks with Falcon Next-Gen SIEM

#Vendor="vmware" #event.module="esxi" | #event.kind="event" | array:contains("event.category[]", value="process") | array:contains("event.type[]", value="start") | case { //direct manipulation of .ash_history file.; process.command_line=/(rm|>|/dev/null|vi)s+.+?.ash_history/ ; //clearing via history command; process.command_line=/historys+-c/ ; //disable history for current session process.command_line=/sets++os+history/ ; } | ReadableEventTime := formatTime("%Y-%m-%dT %H:%M:%S", field=@timestamp, locale=en_US) // Perform aggregation | groupBy([host.name], function=[collect([process.command_line, ReadableEventTime])])

Data Staging Patterns

Adversaries often transfer data from a compromised system or network to an external location within their control, using various network protocols. Two common techniques include:

VICE SPIDER: Targeted Exfiltration

MITRE ATT&CK® offers good coverage of potential techniques that could be used to achieve exfiltration. In general, exfiltration channels can be grouped into three categories: cloud-based, network-based, and physical media-based. Below is a brief overview of each method.

Data Exfiltration Warning Signs

One can, for example, identify suspicious search queries of emails and documents containing sensitive keywords using the following CQL query:

Provisioning Patterns

| array:contains(array="event.category[]", value="network") | network.transport="icmp" network.bytes>=0 | cidr(source.ip, subnet=["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "::1"]) | !cidr(destination.ip, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "::1"]) // Extend with common exclusions | destination.ip =~ !in(values=["1.1.1.1", "8.8.4.4", "8.8.8.8", "9.9.9.9"]) // // Include only matches from CrowdStrike TI. Variation: Configure 'confidenceThreshold' as "unverified" | ioc:lookup(field=destination.ip,type="ip_address",confidenceThreshold="high") // Perform aggregation | groupBy([source.ip, destination.ip], function=sum(network.bytes, as="total_bytes")) | total_mega_bytes := total_bytes/1024/1024 | total_mega_bytes >= 5

Anomalous Endpoint Patterns

Cloud-based exfiltration is becoming increasingly popular among attackers as it provides a convenient and often overlooked channel for data exfiltration. Common cloud-based exfiltration patterns include:
In this blog, we examine various data exfiltration methods affecting cloud environments, networks, and physical media. We also share examples of how eCrime adversaries, including SCATTERED SPIDER, INDRIK SPIDER, and GRACEFUL SPIDER, conduct data exfiltration through cloud targeting, ransomware, zero-day exploitation, and other tactics. Finally, we demonstrate how the capabilities of the CrowdStrike Falcon® platform, including CrowdStrike Falcon® Next-Gen SIEM and CrowdStrike Falcon® Adversary Intelligence, detect this activity.

Removal of shell history
Deletion of event logs
Changes in security settings or tampering with active monitoring tools
Actions taken in incognito browser sessions

Using CQL, one can, for example, detect anomalous remote login activity by establishing a baseline of normal login patterns and flagging current activity that exceeds 2.5 standard deviations above the established average:
The adversary also accessed credentials stored in various cloud services, including AWS Secrets Manager, HashiCorp Vault, and SharePoint. In one instance, they located a domain controller inside a victim’s Azure tenant, copied the disks, and created a new adversary-controlled virtual machine (VM) to mount the disk copies. From these disk copies, they dumped the Active Directory (AD) database NTDS.

Anomalous search queries or file access patterns across multiple systems within a short time frame
Unusual bulk compression or encryption of files
Large-scale data retrieval from repositories, or network shares by new users with recently granted access
Changing of file or directory permissions, or sharing attributes without a legitimate business purpose
Copies of sensitive files
Screenshots of sensitive files taken

SCATTERED SPIDER was a prominent threat actor in 2024. They demonstrated advanced tradecraft in targeted cloud environments and focused on maintaining persistence, obtaining credentials, moving laterally, and exfiltrating data. One notable tactic involved using the open-source S3 browser to exfiltrate data to an external adversary-controlled S3 bucket.

| #Vendor="aws" event.provider="ec2.amazonaws.com" | #event.kind="event" | event.action="ModifyImageAttribute" | Vendor.requestParameters.launchPermission.add.items[0].group="all" OR Vendor.requestParameters.launchPermission.add.items[0].userId=* | ReadableEventTime := formatTime("%Y-%m-%dT %H:%M:%S", field=@timestamp, locale=en_US) // Perform aggregation | groupBy([Vendor.requestParameters.imageId], function=collect([source.ip, user.name, cloud.region, ReadableEventTime]))

Anti-Forensic Patterns

Proper configuration of IAM policies, implementation of least-privilege access, and continuous monitoring of data transfer activities are essential controls to prevent abuse of these services. However, detection of anomalous data transfer activities must supplement these policies.
VICE SPIDER used PowerShell scripting to automate data exfiltration by searching for specific directory and file names containing sensitive keywords. This exfiltration of data was then later used in an attempt to extort victim organizations.

Installation of new software on systems without a legitimate business purpose, such as remote desktop applications
Excessive browser uploads or unusual network traffic on virtual hosts
Unusual user logins, from unusual locations or at odd hours, or otherwise unusual activity levels
Multiple failed login attempts
File system anomalies, such as modified timestamps, unexpected file deletions, or the creation of new and unexpected files or directories
File uploads conducted with unknown, unusual binaries or tools that have just been installed/downloaded

For example, through CQL, one can create a query that reviews files written to an arbitrary external device:

Anomalous Traffic Patterns

As an example, the following CQL query identifies attempts to clear or disable the ESXi Shell command line history from an interactive ESXi terminal:
GRACEFUL SPIDER, a group operating since 2016, exploited three zero-days to exfiltrate data from hundreds of victims worldwide. This campaign resulted in the second-highest number of dedicated leak site (DLS) posts that year. GRACEFUL SPIDER’s use of zero-days demonstrates their growing sophistication in their pursuit of sensitive data.
As outlined in the CrowdStrike 2024 Global Threat Report, multiple threat actors used exfiltration techniques, with a greater focus on cloud environments. As the threat landscape continues to shift, it’s essential for organizations to stay vigilant by implementing robust security measures to protect their sensitive data. Here’s a snapshot of some of the cases observed by CrowdStrike.

Detect Data Exfiltration Techniques with Falcon Next-Gen SIEM

8 Linux Commands to Diagnose Hard Drive Issues in Linux

How to Use BEGIN and END Effectively in Awk

How to Use PyTest for Unit Testing in Python

How to Personalize Fedora Desktop with Themes and Extensions

15 Best Tiling Window Managers for Linux in 2025

Tips for Ecommerce Success: Black Friday & Cyber Monday