Exfiltration

Firewall & NetFlow logs can be useful to determine the amount of data exfil’d, but will not describe the actual data.
Is your firewall application-aware? Do you have URL categories available? E.g., NGFWs
Look for traffic spikes and off-hours activity.
Is there protocol tunneling (e.g., DNS)?
Legal entities usually do not like to hear about traffic amounts (e.g., byte or packet counts) when you cannot denote exactly what was transferred— but it is what it is!

Multiple archives being created by the TA can be obvious.
MFT/UsnJrnl
- Use Parent sequence number to find directories related to file of interest.
- Even if you do not have EDR/Sysmon, MFT/UsnJrnl analysis can prove crucial.
Uncommon archive types/names for your environment can be a clue
Archival tools being brought in by the TA are a huge sign!

SRUM database

MFT/UsnJrnl

FileZilla log locations:

WinSCP

Rclone

WinZip maintains archive data in the registry at:

7Zip maintains archive artifacts in the registry at:

Block anything not approved.

Last updated 1 year ago

Firewall & NetFlow logs can be useful to determine the amount of data exfil’d, but will not describe the actual data.
Is your firewall application-aware? Do you have URL categories available? E.g., NGFWs
Look for traffic spikes and off-hours activity.
Is there protocol tunneling (e.g., DNS)?
Legal entities usually do not like to hear about traffic amounts (e.g., byte or packet counts) when you cannot denote exactly what was transferred— but it is what it is!

Multiple archives being created by the TA can be obvious.
MFT/UsnJrnl
- Use Parent sequence number to find directories related to file of interest.
- Even if you do not have EDR/Sysmon, MFT/UsnJrnl analysis can prove crucial.
Uncommon archive types/names for your environment can be a clue
Archival tools being brought in by the TA are a huge sign!