📤 Data Exfiltration — IR Cheatsheet

24 nodes | 8 stages | Generated for analyst role

Triage

1.Query SIEM for the earliest alert or IOC match and record the timestamp as T-start; search across all log sources (EDR, firewall, proxy, authentication) for corroborating events within +/- 24 hours.
2.Use PowerShell to pull the $MFT timeline: `Get-ForensicTimeline -VolumeName C: | Where-Object { $_.Date -ge $tStart -and $_.Date -le $tEnd } | Export-Csv mft_timeline.csv` -- compare with SIEM timestamps.
3.Run Velociraptor hunt `Windows.Timeline.MFT` across suspected hosts to identify file creation/modification clusters that may push T-start earlier.

index=* (sourcetype=crowdstrike OR sourcetype=defender OR sourcetype=sysmon) earliest=-30d | stats earliest(_time) as fi...

SecurityEvent | where TimeGenerated between (ago(30d) .. now()) | where EventID in (4624, 4625, 4648, 4672) | summarize ...

Patient ZeroP1 | 60m

1.Pivot from the earliest IOC timestamp to identify the originating host: correlate source IPs, user accounts, and process trees across EDR telemetry.
2.Run Velociraptor artifact `Windows.EventLogs.Evtx` with a time filter around T-start on candidate hosts to find logon events (4624 Type 3/10), service installations (7045), and scheduled task creation (4698).
3.Check email logs for the earliest malicious delivery if phishing is suspected: `sourcetype=o365:messageTrace | search directionality=Inbound status=Delivered | where _time >= T_start | stats earliest(_time) by sender, recipient, subject`.

DeviceLogonEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where LogonType in ("RemoteInteract...

index=proxy sourcetype=bluecoat OR sourcetype=zscaler dest IN (ioc_ip_list) OR url IN (ioc_url_list) | stats earliest(_t...

Access ValidationP2 | 45m

1.On patient zero, parse Outlook OST/PST for the phishing email and extract attachment hashes. Use `oletools` to analyze macros: `olevba -a malicious.docm | tee olevba_output.txt`.
2.For web-app compromise, review IIS/Apache/Nginx access logs around T-start: look for exploit patterns (path traversal, SQLi, deserialization payloads) targeting the specific CVE.
3.Check for credential-based access: query Azure AD sign-in logs for impossible travel, legacy auth protocols, or sign-ins from anonymizing infrastructure (Tor, VPN providers).

SigninLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where UserPrincipalName == "compromise...

DeviceProcessEvents | where DeviceName == "PATIENT_ZERO" | where Timestamp between (datetime(T_START) .. datetime(T_END)...

Containment

Network IsolationP1 | 30m

1.Initiate EDR network containment on the compromised host (CrowdStrike: `falconctl -s --cid | containment enable`, Defender: Isolate device from MDE portal or via API `POST /api/machines/{id}/isolate`).
2.If EDR containment is not available, implement switch-port isolation: move the host VLAN to a quarantine VLAN with no routes except to the forensic workstation. Document the original VLAN assignment.
3.Deploy firewall rules to block the host IP from all outbound communication except the forensic subnet: `iptables -I FORWARD -s <compromised_ip> -j DROP` or equivalent on your perimeter firewall.

DeviceNetworkEvents | where DeviceName == "COMPROMISED_HOST" | where Timestamp > ago(1h) | summarize ConnectionCount=cou...

index=firewall sourcetype=paloalto_traffic src_ip=COMPROMISED_IP action=allowed | stats count by dest_ip, dest_port, app...

Account LockdownP1 | 45m

1.Disable the compromised user account in AD: `Disable-ADAccount -Identity compromised_user` and in Azure AD: `Set-AzureADUser -ObjectId <user_id> -AccountEnabled $false`.
2.Revoke all Azure AD refresh tokens immediately: `Revoke-AzureADUserAllRefreshToken -ObjectId <user_id>`. For M365, also run: `Get-AzureADUserRegisteredDevice -ObjectId <user_id> | ForEach-Object { Remove-AzureADDeviceRegisteredUser -ObjectId $_.ObjectId }`.
3.Force Kerberos ticket expiry for on-prem AD: reset the user password twice (this invalidates all cached TGTs). Then reset the KRBTGT account if Golden Ticket is suspected: `Reset-KrbtgtKeys -Server DC01 -Force`.

let compromised_user = "[email protected]"; SigninLogs | where UserPrincipalName == compromised_user | where TimeGenerated...

let compromised_user = "[email protected]"; AuditLogs | where InitiatedBy has compromised_user | where TimeGenerated > ago...

Block ExfiltrationP1 | 30m

1.Block exfiltration destination IPs and domains on the perimeter firewall: add to deny list and verify with `show access-list` or equivalent. Confirm blocks are applied to all egress points.
2.Add exfiltration domains to the DNS sinkhole/blackhole: update the DNS resolver block list or RPZ zone. Verify resolution fails: `nslookup exfil-domain.com` should return NXDOMAIN or sinkhole IP.
3.Block cloud storage sync tools at the proxy level: create URL category blocks for file-sharing domains (mega.nz, rclone endpoints, transfer.sh). Apply SSL inspection to detect HTTPS-based exfiltration.

CommonSecurityLog | where TimeGenerated > ago(1h) | where DestinationIP in ("EXFIL_IP1","EXFIL_IP2") or DestinationHostN...

DnsEvents | where TimeGenerated > ago(1h) | where Name has "exfil-domain.com" | summarize QueryCount=count() by ClientIP...

Preservation

Memory CaptureP1 | 60m

1.Windows -- Use WinPmem from a trusted USB or network share: `winpmem_mini_x64.exe --output F:\case\%COMPUTERNAME%_memdump.raw --format raw`. Verify the output file size matches expected RAM.
2.Windows alternative -- Use Magnet RAM Capture or Belkasoft Live RAM Capturer if WinPmem fails. For remote collection via Velociraptor: deploy `Windows.Memory.Acquisition` artifact.
3.Linux -- Use AVML (Acquire Volatile Memory for Linux): `./avml --compress output.lime.gz`. Alternative: `sudo insmod lime.ko "path=/case/mem.lime format=lime"`. Verify module unloads cleanly after capture.

DeviceProcessEvents | where DeviceName == "TARGET_HOST" | where Timestamp > ago(1h) | where FileName in~ ("winpmem","ram...

SELECT pid, name, ppid, cmdline, create_time FROM processes WHERE on_disk = 0 OR name IN ("powershell.exe","cmd.exe","ru...

Log SnapshotP1 | 45m

1.Windows -- Export critical event logs: `wevtutil epl Security C:\case\Security.evtx`, `wevtutil epl System C:\case\System.evtx`, `wevtutil epl "Microsoft-Windows-PowerShell/Operational" C:\case\PowerShell.evtx`, `wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\case\Sysmon.evtx`.
2.Linux -- Preserve auth and system logs: `cp -p /var/log/auth.log* /var/log/syslog* /var/log/secure* /var/log/audit/audit.log* /case/logs/`. For journald: `journalctl --since "T_START" --until "T_END" -o json > /case/logs/journal_export.json`.
3.M365/Azure -- Export Azure AD sign-in and audit logs via PowerShell: `Get-AzureADAuditSignInLogs -Filter "createdDateTime ge T_START" -All $true | Export-Csv azure_signins.csv`. Export UAL: `Search-UnifiedAuditLog -StartDate T_START -EndDate T_END -ResultSize 5000 | Export-Csv ual_export.csv`.

index=_internal sourcetype=splunkd component=HotBucketRoller OR component=WarmToColdManager | stats latest(data_size) as...

// Velociraptor: collect all EVTX files from target host
SELECT FullPath, Size, Mtime FROM glob(globs="C:/Windows/System...

Chain of CustodyP2 | 30m

1.For each evidence item collected, record: item description, source system, collection method, collector name, date/time (UTC), and storage location.
2.Hash all evidence files immediately upon collection using SHA-256: `sha256sum /case/evidence/* > /case/evidence_hashes.sha256` (Linux) or `Get-FileHash -Algorithm SHA256 -Path C:\case\evidence\* | Export-Csv C:\case\evidence_hashes.csv` (PowerShell).
3.Store evidence on write-protected media or in a secured evidence repository with access logging. Document any transfers between storage locations.

Get-ChildItem -Path C:\case\evidence -Recurse | Get-FileHash -Algorithm SHA256 | Select-Object Hash, Path, @{Name="SizeK...

Insider Evidence CaptureP2 | 120m

1.Enable silent DLP monitoring on the suspect user: configure DLP policies to log-only mode (no block/notify) for all channels -- email, endpoint, cloud storage, USB, print
2.Configure EDR to capture enhanced telemetry on the suspect endpoint without user-visible indicators: enable full command-line logging, keylogging, clipboard capture, and screenshot on suspicious activity
3.Preserve cloud audit trail: export Azure AD sign-in logs, Unified Audit Log entries, OneDrive/SharePoint file access logs, and Teams/Slack message logs for the suspect user (past 90 days)

// KQL -- Covert monitoring: suspect user file access patterns
OfficeActivity
| where UserId == "<SUSPECT_UPN>"
| where ...

// KQL -- Suspect sign-in anomalies
SigninLogs
| where UserPrincipalName == "<SUSPECT_UPN>"
| where TimeGenerated > ago(...

Collection

EDR CollectionP2 | 120m

1.CrowdStrike -- Export full RTR session data and detection details via the Falcon API: `GET /detects/queries/detects/v1?filter=device.hostname:"TARGET_HOST"`. Pull process tree JSON for each detection.
2.Microsoft Defender -- Run Advanced Hunting queries to extract process execution history, file events, and network connections for the investigation window. Export results to CSV for offline analysis.
3.Deploy a Velociraptor hunt across all in-scope hosts using the SANS triage collection: `velociraptor-v0.7.0 --config client.config.yaml artifacts collect Windows.KapeFiles.Targets --args target="!SANS_Triage" --output /case/host_triage/`.

DeviceProcessEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. date...

DeviceFileEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. datetim...

M365 UAL CollectionP2 | 90m

1.Export the UAL using PowerShell for the investigation window. Note the 5000-record per query limit: `$results = Search-UnifiedAuditLog -StartDate "T_START" -EndDate "T_END" -ResultSize 5000 -SessionCommand ReturnLargeSet`. Page through all results and export to JSON for parsing.
2.Use the CISA Sparrow tool or CrowdStrike CRT (Cloud Response Tool) for automated collection: `sparrow.ps1` performs bulk UAL export, Azure AD analysis, and inbox rule enumeration.
3.Export Azure AD sign-in logs (requires P1/P2): `Get-MgAuditLogSignIn -Filter "createdDateTime ge T_START" -All | Export-Csv signins.csv`. Also export `Get-MgAuditLogDirectoryAudit` for admin activity.

CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where AccountObjectId == "<user_object...

AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Category in ("ApplicationManageme...

DLP AlertsP2 | 45m

1.Export Microsoft Purview DLP alerts: `Get-DlpDetailReport -StartDate T_START -EndDate T_END | Export-Csv dlp_alerts.csv`. Include policy name, matched sensitive info types, and actions taken.
2.Query the DLP dashboard for policy matches on the compromised user or host: filter by sender, endpoint, or IP address. Export the full match details including content snippets where available.
3.Cross-reference DLP hits with exfiltration timeline: align DLP alert timestamps with known staging and transfer events to build a complete data movement narrative.

CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType has "DLP" | project T...

index=dlp sourcetype=symantec:dlp OR sourcetype=forcepoint:dlp | where _time >= T_START AND _time <= T_END | stats count...

Missing Log FallbackP2 | 60m

1.Identify which log sources are missing and the affected time window. Document the gap: source name, expected retention, actual available range, and suspected reason for absence.
2.For missing Windows Event Logs, check Volume Shadow Copies: `vssadmin list shadows` then mount and extract .evtx files from shadow copies. Also check `C:\Windows\System32\winevt\Logs` for partially overwritten logs that may contain older entries.
3.Harvest NTFS metadata as a timeline substitute: `MFTECmd.exe -f C:\$MFT --csv /case/output/` provides file creation/modification timestamps even when application logs are gone. The $UsnJrnl provides granular file change records.

SecurityEvent | where TimeGenerated > ago(90d) | summarize MinTime=min(TimeGenerated), MaxTime=max(TimeGenerated), Count...

DeviceEvents | where Timestamp > ago(30d) | summarize EarliestEvent=min(Timestamp), LatestEvent=max(Timestamp), EventCou...

Third-Party LogsP3 | 120m

1.Identify which third-party vendors hold relevant logs: ISP flow data, cloud hosting provider logs, SaaS application audit trails, MSP monitoring data, CDN/WAF provider logs.
2.Draft a formal log preservation and production request specifying: timeframe (T-30d to present), log types needed, format requirements (CSV, JSON, syslog), and delivery method (SFTP, encrypted email).
3.Include in the request: case reference number, legal basis for the request (contract clause, legal process), contact person, and urgency level.

Review vendor contracts and SLAs for log retention periods and incident response support obligations.

Analysis

Lateral MovementP1 | 120m

1.Query for RDP lateral movement: filter for Event ID 4624 (LogonType 10) and 4778/4779 (RDP session reconnect/disconnect) across all domain controllers and target hosts during the investigation window.
2.Identify pass-the-hash/pass-the-ticket: look for 4624 LogonType 9 (NewCredentials) and 4648 (explicit credential logon). Cross-reference with EDR for suspicious LSASS access (Mimikatz, ProcDump, comsvcs.dll MiniDump).
3.Map SMB lateral movement via admin shares: `DeviceNetworkEvents | where RemotePort == 445 | where InitiatingProcessFileName in~ ("cmd.exe","powershell.exe","wmic.exe","psexec.exe","smbclient")` and correlate with service installation events (7045) on target hosts.

SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID in (4624, 4648) | whe...

DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where FileName in~ ("psexec.exe",...

Exfil ChannelsP1 | 90m

1.Analyze proxy/firewall logs for large outbound transfers: `index=proxy sourcetype=bluecoat OR sourcetype=zscaler bytes_out>10000000 | stats sum(bytes_out) as total_bytes by src_ip, dest, cs_host, cs_uri_path | eval total_MB=round(total_bytes/1048576,2) | sort -total_MB | head 50`.
2.Hunt for DNS tunneling indicators: look for high-volume DNS queries to a single domain with long subdomain labels: `index=dns | stats count avg(len(query)) as avg_len by query_domain src_ip | where count > 500 AND avg_len > 40`.
3.Check for unauthorized cloud sync client usage: `DeviceProcessEvents | where FileName in~ ("rclone.exe","megasync.exe","gdrive.exe","onedrive.exe","dropbox.exe") | project Timestamp, DeviceName, ProcessCommandLine, AccountName`.

CommonSecurityLog | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where DeviceAction == "allowed"...

DnsEvents | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | extend SubdomainLength=strlen(tostring(...

Data StagingP2 | 60m

1.Search for archive creation using common staging tools: `DeviceProcessEvents | where FileName in~ ("7z.exe","rar.exe","winrar.exe","zip.exe","tar.exe","makecab.exe") | project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName`.
2.Hunt for renamed archive tools or LOLBins used for compression: check for `compact.exe /c`, `certutil -encode`, or PowerShell `Compress-Archive` commands across EDR telemetry.
3.Identify large file creation events in staging directories: `DeviceFileEvents | where FolderPath matches regex @"(?i)(\\temp\\|\\staging\\|\\public\\|C:\\PerfLogs)" | where FileSize > 50000000 | project Timestamp, DeviceName, FileName, FolderPath, FileSize`.

DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ProcessCommandLine has_any ...

DeviceFileEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType == "FileCreated" | ...

Eradication

Eradication VerificationP1 | 90m

1.Run a full Autoruns sweep on all Windows hosts previously in scope -- compare against pre-incident baseline and flag any new entries added during the compromise window
2.Execute YARA rules for all known malware hashes and families identified during analysis across every endpoint using EDR live-response or Velociraptor hunts
3.Verify all compromised credentials have been reset: cross-reference the credential exposure list against Azure AD password-last-changed timestamps and on-prem AD pwdLastSet attributes

// KQL -- Verify no ransomware/malware re-execution post-eradication
DeviceProcessEvents
| where Timestamp > ago(48h)
| ...

// KQL -- Check for residual C2 communication
DeviceNetworkEvents
| where Timestamp > ago(48h)
| where RemoteIP in ("<C2...

Config HardeningP2 | 180m

1.Disable legacy authentication protocols exploited during the attack: NTLMv1, LLMNR, NBT-NS, WPAD, SMBv1, and unencrypted LDAP binds
2.Enable Windows Attack Surface Reduction (ASR) rules relevant to the observed TTPs: block Office macro child processes, block credential theft from LSASS, block unsigned/untrusted executables from USB
3.Harden Azure AD conditional access: enforce MFA on all accounts, block legacy auth, require compliant devices, implement sign-in risk and user risk policies

// PowerShell -- Enable ASR rules
$rules = @(
  "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550", # Block Office child processes
 ...

// KQL -- Verify hardening changes took effect
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType startswith "...

Recovery

Service RestorationP2 | 120m

1.Create service restoration tiers: Tier 1 (authentication, email, ERP), Tier 2 (file shares, internal apps), Tier 3 (development, non-essential). Restore one tier at a time.
2.Before each tier, verify: security tooling installed and reporting, monitoring rules deployed, containment controls updated for legitimate traffic.
3.Deploy enhanced monitoring rules: alert on C2 connections, new services, admin account creation, PowerShell/WMI remote execution.

DeviceNetworkEvents | where Timestamp > ago(4h) | where DeviceName in ("RESTORED_HOSTS") | where RemoteUrl !endswith ".m...

SecurityEvent | where TimeGenerated > ago(4h) | where Computer in ("RESTORED_HOSTS") | where EventID in (4720, 4732, 704...

Post-Incident Review

Detection ImprovementP2 | 90m

1.Document all attacker TTPs observed with specific indicators: process names, command lines, file paths, registry keys, network destinations.
2.Write Sigma rules for each TTP that can be shared and converted to multiple SIEM platforms.
3.Create custom KQL/SPL detection rules for the organization SIEM targeting the specific attack patterns.

SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID == 4688 | where Proce...

Incident ReportP2 | 180m

1.Write the technical narrative covering: initial detection, investigation scope, evidence collected, attacker TTPs, impact assessment, containment actions, eradication steps, and recovery.
2.Create the final incident timeline with all key events in chronological order.
3.Compile the IOC appendix: file hashes, IP addresses, domains, email addresses, user agents, and other indicators.

Compile all queries used during the investigation for the report appendix.

Lessons LearnedP3 | 120m

1.Compile the complete incident timeline from detection through recovery with all key events, decisions, and timestamps.
2.Document all evidence gaps encountered and how they were addressed (or could not be addressed).
3.Identify detection gaps: what alerts should have fired but did not? What telemetry would have enabled faster detection?

Review all investigation notes, evidence logs, and timeline entries compiled during the incident.