hunting-for-data-exfiltration-indicators
Hunt for data exfiltration through network traffic analysis, detecting unusual data flows, DNS tunneling, cloud storage uploads, and encrypted channel abuse.
What this skill does
# Hunting for Data Exfiltration Indicators ## When to Use - When hunting for data theft in compromised environments - After detecting unusual outbound data volumes or patterns - When investigating potential insider threat data theft - During incident response to determine what data was stolen - When threat intel indicates data exfiltration campaigns targeting your sector ## Prerequisites - Network proxy/firewall logs with byte-level data transfer metrics - DLP solution or CASB with cloud upload visibility - DNS query logs for DNS exfiltration detection - Email gateway logs for attachment monitoring - SIEM with data volume anomaly detection capabilities ## Workflow 1. **Define Exfiltration Channels**: Identify potential channels (HTTP/S uploads, DNS tunneling, email attachments, cloud storage, removable media, encrypted protocols). 2. **Baseline Normal Data Flows**: Establish baseline outbound data transfer volumes per user, host, and destination over a 30-day window. 3. **Detect Volume Anomalies**: Identify hosts or users transferring significantly more data than baseline to external destinations. 4. **Analyze Transfer Destinations**: Check destination domains/IPs against threat intel, identify newly registered domains, personal cloud storage, and foreign infrastructure. 5. **Inspect Protocol Abuse**: Look for DNS tunneling (large/frequent TXT queries), ICMP tunneling, or data hidden in allowed protocols. 6. **Correlate with File Access**: Link exfiltration indicators to file access events on sensitive file shares, databases, or repositories. 7. **Report and Contain**: Document findings with evidence, estimate data exposure, and recommend containment actions. ## Key Concepts | Concept | Description | |---------|-------------| | T1041 | Exfiltration Over C2 Channel | | T1048 | Exfiltration Over Alternative Protocol | | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 | | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 | | T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 | | T1567 | Exfiltration Over Web Service | | T1567.002 | Exfiltration to Cloud Storage | | T1052 | Exfiltration Over Physical Medium | | T1029 | Scheduled Transfer | | T1030 | Data Transfer Size Limits (staging) | | T1537 | Transfer Data to Cloud Account | | T1020 | Automated Exfiltration | ## Tools & Systems | Tool | Purpose | |------|---------| | Splunk | SIEM for data volume analysis and SPL queries | | Zeek | Network metadata for data flow analysis | | Microsoft Defender for Cloud Apps | CASB for cloud exfiltration | | Netskope | Cloud DLP and exfiltration detection | | Suricata | Network IDS for protocol anomaly detection | | RITA | DNS exfiltration and beacon detection | | ExtraHop | Network traffic analysis for data flow | ## Common Scenarios 1. **Cloud Storage Exfiltration**: User uploads sensitive documents to personal Google Drive or Dropbox via browser. 2. **DNS Tunneling**: Malware exfiltrates data encoded in DNS subdomain queries to attacker-controlled nameserver. 3. **HTTPS Upload**: Compromised system POSTs large data blobs to C2 server over encrypted HTTPS. 4. **Email Attachment Exfiltration**: Insider forwards sensitive documents to personal email accounts. 5. **Staging and Compression**: Adversary stages data in compressed archives before slow exfiltration to avoid detection. ## Output Format ``` Hunt ID: TH-EXFIL-[DATE]-[SEQ] Exfiltration Channel: [HTTP/DNS/Email/Cloud/USB] Source: [Host/User] Destination: [Domain/IP/Service] Data Volume: [Bytes/MB/GB] Time Period: [Start - End] Protocol: [HTTPS/DNS/SMTP/SMB] Files Involved: [Count/Types] Risk Level: [Critical/High/Medium/Low] Confidence: [High/Medium/Low] ```
Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.