Map Exfiltration Channels (HTTP, DNS, Cloud Sync)

AnalysisP190 min
📤 Data Exfiltration👤 Insider Threat🔒 Ransomware
IR AnalystSwitch roles in the top navigation to see different perspectives.

Identify the channels the attacker used or attempted to use for data exfiltration. Common channels include HTTPS uploads, DNS tunneling, cloud storage sync clients, email attachments, and removable media.

Actions

  1. 1.Analyze proxy/firewall logs for large outbound transfers: `index=proxy sourcetype=bluecoat OR sourcetype=zscaler bytes_out>10000000 | stats sum(bytes_out) as total_bytes by src_ip, dest, cs_host, cs_uri_path | eval total_MB=round(total_bytes/1048576,2) | sort -total_MB | head 50`.
  2. 2.Hunt for DNS tunneling indicators: look for high-volume DNS queries to a single domain with long subdomain labels: `index=dns | stats count avg(len(query)) as avg_len by query_domain src_ip | where count > 500 AND avg_len > 40`.
  3. 3.Check for unauthorized cloud sync client usage: `DeviceProcessEvents | where FileName in~ ("rclone.exe","megasync.exe","gdrive.exe","onedrive.exe","dropbox.exe") | project Timestamp, DeviceName, ProcessCommandLine, AccountName`.
  4. 4.Review email gateway for large attachment sends or forwarding to external domains during the window: `sourcetype=o365:messageTrace directionality=Outbound | where TotalBytes > 5000000 | stats sum(TotalBytes) by Sender, RecipientAddress`.
  5. 5.Check for removable media usage on staging hosts: `DeviceEvents | where ActionType == "UsbDriveMounted" | project Timestamp, DeviceName, AccountName, AdditionalFields`.

Queries

CommonSecurityLog | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where DeviceAction == "allowed" | where SentBytes > 10000000 | summarize TotalBytesSent=sum(SentBytes), ConnectionCount=count() by SourceIP, DestinationIP, DestinationHostName, ApplicationProtocol | extend TotalMB=TotalBytesSent/1048576 | order by TotalMB desc | take 50
DnsEvents | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | extend SubdomainLength=strlen(tostring(split(Name, ".")[0])) | where SubdomainLength > 30 | summarize QueryCount=count(), AvgSubdomainLen=avg(SubdomainLength) by ClientIP, Name | where QueryCount > 100 | order by QueryCount desc
index=firewall action=allowed dest_port IN (443,80,53,8080) src_ip=STAGING_HOST | timechart span=15m sum(bytes_out) as bytes_out | where bytes_out > 50000000

Notes

  • Rclone is one of the most common exfiltration tools used in ransomware and data theft operations. Its configuration file (~/.config/rclone/rclone.conf) may contain the destination cloud storage credentials.
  • DNS tunneling exfiltration is slow but often bypasses network inspection. A sustained high volume of TXT queries or long subdomain labels is a strong indicator.