Map Exfiltration Channels (HTTP, DNS, Cloud Sync)
Identify the channels the attacker used or attempted to use for data exfiltration. Common channels include HTTPS uploads, DNS tunneling, cloud storage sync clients, email attachments, and removable media.
Actions
- 1
Analyze proxy/firewall logs for large outbound transfers: `index=proxy sourcetype=bluecoat OR sourcetype=zscaler bytes_out>10000000 | stats sum(bytes_out) as total_bytes by src_ip, dest, cs_host, cs_uri_path | eval total_MB=round(total_bytes/1048576,2) | sort -total_MB | head 50`.
- 2
Hunt for DNS tunneling indicators: look for high-volume DNS queries to a single domain with long subdomain labels: `index=dns | stats count avg(len(query)) as avg_len by query_domain src_ip | where count > 500 AND avg_len > 40`.
- 3
Check for unauthorized cloud sync client usage: `DeviceProcessEvents | where FileName in~ ("rclone.exe","megasync.exe","gdrive.exe","onedrive.exe","dropbox.exe") | project Timestamp, DeviceName, ProcessCommandLine, AccountName`.
- 4
Review email gateway for large attachment sends or forwarding to external domains during the window: `sourcetype=o365:messageTrace directionality=Outbound | where TotalBytes > 5000000 | stats sum(TotalBytes) by Sender, RecipientAddress`.
- 5
Check for removable media usage on staging hosts: `DeviceEvents | where ActionType == "UsbDriveMounted" | project Timestamp, DeviceName, AccountName, AdditionalFields`.
- 6
Examine browser download history for cloud upload activity: parse `C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\History` (SQLite) or use `BrowsingHistoryView` to identify uploads to file-sharing services (WeTransfer, Dropbox, Google Drive, OneDrive personal). Also check browser cache for exfil service page renders.
- 7
Analyze SRUM (System Resource Usage Monitor) for network usage anomalies: `SrumECmd.exe -f SRUDB.dat -r SOFTWARE --csv .`. SRUM records per-application network bytes sent/received per hour for 30-60 days, revealing bulk data transfer by rclone, curl, or other tools even after they are uninstalled.
Queries
CommonSecurityLog | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where DeviceAction == "allowed" | where SentBytes > 10000000 | summarize TotalBytesSent=sum(SentBytes), ConnectionCount=count() by SourceIP, DestinationIP, DestinationHostName, ApplicationProtocol | extend TotalMB=TotalBytesSent/1048576 | order by TotalMB desc | take 50
DnsEvents | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | extend SubdomainLength=strlen(tostring(split(Name, ".")[0])) | where SubdomainLength > 30 | summarize QueryCount=count(), AvgSubdomainLen=avg(SubdomainLength) by ClientIP, Name | where QueryCount > 100 | order by QueryCount desc
index=firewall action=allowed dest_port IN (443,80,53,8080) src_ip=STAGING_HOST | timechart span=15m sum(bytes_out) as bytes_out | search bytes_out>50000000
index=proxy sourcetype=bluecoat OR sourcetype=zscaler src_ip=STAGING_HOST earliest=T_START latest=T_END | stats sum(bytes_out) as total_bytes count by dest_host, cs_uri_path, user | eval total_MB=round(total_bytes/1048576,2) | sort -total_MB | head 50
index=dns sourcetype=named OR sourcetype=infoblox:dns earliest=T_START latest=T_END | eval subdomain_len=len(mvindex(split(query,"."),0)) | search subdomain_len>30 | stats count avg(subdomain_len) as avg_len by src_ip, query | search count>100 | sort -count
Notes
Rclone is one of the most common exfiltration tools used in ransomware and data theft operations. Its configuration file (~/.config/rclone/rclone.conf) may contain the destination cloud storage credentials.
DNS tunneling exfiltration is slow but often bypasses network inspection. A sustained high volume of TXT queries or long subdomain labels is a strong indicator.