Exfiltration

A remote attacker can exploit a compromised Bitwarden CLI npm package to steal credentials and exfiltrate sensitive information.

A coordinated campaign uses 108 malicious Chrome extensions to steal user data, inject ads, and establish backdoors on over 20,000 systems via a shared command-and-control infrastructure.

A single user rapidly cloning a high number of GitHub repositories indicates potential exfiltration of sensitive data such as proprietary code, embedded secrets, and build artifacts.

Kimsuky is using malware that leverages the Dropbox API for command and control, enabling file exfiltration and remote code execution.

Adversaries may abuse the Windows Certreq utility to download files or upload data to a remote URL by making an HTTP POST request, potentially for command and control or exfiltration, which can be detected by monitoring process execution events.

This brief details a detection strategy for rare SMB connections originating from internal networks to the internet, potentially indicating NTLM credential theft via rogue UNC path injection.

This rule detects SMTP traffic on TCP port 26, an alternative to the standard port 25 that the BadPatch malware family has used for command and control of Windows systems.

Adversaries use WinRAR or 7-Zip with encryption options to compress and protect stolen data before exfiltration, making detection more challenging.

This rule detects network events indicating the use of Windows file sharing (SMB or CIFS) traffic to the Internet, which is commonly exploited for initial access, backdoor deployment, or data exfiltration.

Detection of newly seen removable devices via Windows registry modification events can indicate data exfiltration attempts or initial access via malicious USB drives.

Detection of medium-sized registry hive files being created or modified on Server Message Block (SMB) shares, potentially indicating exfiltration of Security Account Manager (SAM) data for credential extraction.