What is exfiltration (TA0010)?

In the MITRE ATT&CK framework, exfiltration (TA0010) is the tactic where adversaries move stolen data out of your environment. This is the moment where confidentiality loss becomes real business impact: intellectual property leaves the network, regulated records become reportable exposure, and incident response shifts from containment to legal and regulatory operations.

Exfiltration succeeds when defenders monitor events in isolation. A single outbound connection rarely looks malicious by itself. A staged archive, followed by an unusual protocol path, followed by unexpected identity behavior tells a different story. ManageEngine Log360 is strongest when these signals are correlated into an attack narrative rather than treated as disconnected alerts.

Exfiltration is where attacker objectives become measurable data loss.
Figure 1: Exfiltration is where attacker objectives become measurable data loss.

Key insight: Exfiltration detection is a sequence problem. Log360 combines identity, endpoint, Active Directory, and network telemetry to detect chained behavior before data theft scales.

Why exfiltration is high impact

Most organizations discover exfiltration late because attackers intentionally throttle transfers, blend into sanctioned channels, or split data across multiple protocols. By the time a single tool catches one transfer, the larger campaign may already be complete. The operational objective is not to detect one packet stream; it is to detect data-theft behavior as it evolves from staging to outbound movement.

Exfiltration pressure is also regulatory pressure. Data theft can trigger notification obligations under ISO 27001, breach reporting workflows in regional privacy laws, and incident handling expectations in NIST SP 800-61. The SOC therefore needs evidence quality, not just alert volume. Log360 preserves timeline context that legal, compliance, and IR teams can act on quickly.

Technique coverage at a glance

Technique MITRE ID Current coverage posture
Exfiltration Over Alternative Protocol T1048 Built-in adjacent detections + custom recommended
Exfiltration Over C2 Channel T1041 Partial direct detections + custom recommended
Exfiltration to Cloud Storage T1567 Built-in collaboration signal + custom recommended
Scheduled transfer staging Cross-technique Built-in AD and endpoint indicators
Exfiltration detection posture across TA0011 techniques
Figure 2: Exfiltration detection posture across TA0011 techniques.

Detecting exfiltration over alternative protocol (T1048)

T1048 appears when adversaries move data through channels that are less monitored for bulk transfer. That can mean FTP-like paths, remote administration channels, DNS service abuse, or collaboration workflows that blend into normal operations. Detection depends on finding protocol misuse and endpoint intent in the same time window.

Log360 surfaces protocol misuse with built-in rules such as FTP Improper Address/Port Specified (Cisco, Trouble), which highlights suspicious FTP targeting behavior, and DNS-service abuse indicators including Unusual Child Process of dns.exe and Unusual File Deletion by Dns.exe (Windows, Trouble). These are high-value because they indicate abuse of infrastructure services that normally should not initiate suspicious child execution or destructive file activity.

For sensitive directory data staging, the combination of Ntdsutil Abuse (AD, Trouble), NTDS.DIT Created by Uncommon Process (AD, Attention/Trouble), and NTDS Exfiltration Filename Patterns (AD, Trouble) gives defenders a practical path to detect one of the most damaging forms of exfiltration: theft of AD credential databases for later offline cracking and privilege expansion.

Custom rule Trigger logic Severity
Rare Protocol Egress Burst Outbound transfer volume spikes over non-standard protocol/service for a host over baseline. Critical
Archive-Then-Transfer Sequence Archive creation followed by outbound session to new external destination within 20 minutes. Critical
Sensitive Share Read + External Session Mass access on sensitive AD/file shares followed by external connection from same principal. Critical

Detecting exfiltration over C2 channel (T1041)

T1041 describes data theft through an already established command-and-control path. This is attractive to attackers because the channel often already bypasses perimeter controls. Instead of opening a new transfer route, they piggyback exfiltration on a session that security tools may classify as known remote activity.

In practice, defenders should combine documented outbound-anomaly signals like Uncommon Outbound Kerberos Connection (Windows, Trouble) with endpoint and identity context to distinguish routine administration from covert transfer. Where remote-access abuse is part of the campaign, Outbound RDP Connections Over Non-Standard Tools (Windows, Trouble) provides additional directional signal.

Custom rule Trigger logic Severity
Beacon Size Drift Regular C2 beaconing host starts sending significantly larger payload sizes than baseline. Critical
C2 Session + Sensitive File Access Sensitive file reads precede sustained outbound C2-like session from same endpoint. Critical
New C2 Destination on Privileged Host Privileged endpoint contacts unseen external destination with repeated encrypted sessions. Critical
Exfiltration sequence and where SIEM correlation adds precision.
Figure 3: Exfiltration sequence and where SIEM correlation adds precision.

Detecting cloud-storage exfiltration (T1567)

Cloud and collaboration channels are now frequent exfiltration paths because they look operationally legitimate. Attackers abuse Teams, sanctioned SaaS, or temporary cloud identities to move data in small, hard-to-flag increments. Traditional DLP-only views can miss the attacker context that reveals intent.

Log360 provides direct signal through Files uploaded to Teams (Microsoft 365, Attention), which is useful when correlated with unusual account activity and privilege changes. In cloud-connected environments, identity or key lifecycle anomalies such as AWS EC2 Instance Connect SSH Public Key Uploaded (AWS, Trouble) can indicate attacker preparation for alternate transfer routes even when explicit exfiltration signatures are absent.

For this technique, strong outcomes come from layered analytics: sanctioned-app upload monitoring, user behavior baselines, and destination novelty scoring. Log360 can orchestrate these sources into a single SOC view so analysts can evaluate whether the transfer is business activity or covert data movement.

Signals and telemetry architecture

Exfiltration visibility is only as strong as source diversity. A mature Log360 exfiltration pipeline should include:

  • Endpoint execution telemetry: Process creation and command-line events to detect staging tools and archive workflows.
  • Directory and file telemetry: AD and file-share access signals to identify sensitive data targeting before transfer.
  • Network egress telemetry: Firewall, DNS, VPN, and proxy logs for destination, volume, and protocol analysis.
  • Cloud and collaboration telemetry: SaaS upload activity and cloud identity changes for transfer-channel abuse detection.
  • User context: UEBA risk scoring to distinguish normal high-volume workflows from suspicious theft patterns.

Threat hunting queries

Use these hunting patterns in Log360 search and correlation workflows to find probable exfiltration chains:

event_id:4663 AND action:file_read AND user:admin*

Hunt for high-volume sensitive file reads from privileged or service identities.

process_name:7z* OR process_name:rar* OR process_name:winrar.exe

Identify archive tooling on endpoints that do not normally perform packaging operations.

(source:* AND destination:*) AND severity:Critical AND timestamp:[now-24h TO now]

Pivot on high-severity outbound events in the same window as suspicious staging activity.

event_id:4769 AND action:TGS_request

Monitor unusual Kerberos ticket request behavior around suspected outbound activity for identity misuse context.

Response and containment playbook

  1. Contain the channel: Block suspicious destinations, disable impacted identities, and isolate suspected transfer hosts.
  2. Preserve evidence: Export Log360 correlated timelines, raw logs, and account/session artifacts before cleanup.
  3. Scope exposure: Identify data classes accessed, transfer windows, and systems touched by the same principal or host.
  4. Coordinate legal/compliance: Trigger notification assessments based on data type and jurisdictional obligations.
  5. Harden recurrence controls: Implement custom correlations for missed patterns and tighten egress policy segmentation.

ManageEngine Log360 for exfiltration detection

Detect multi-stage data theft earlier by correlating endpoint staging, identity anomalies, and outbound traffic signals in one investigative timeline.

Start free trialExplore Log360 features

How TA0010 connects to other tactics

Exfiltration is rarely the first observable signal in a campaign. Most incidents start with initial access, progress through execution and credential abuse, then move into collection before data exits. Detection engineering should therefore map TA0010 analytics to TA0001, TA0002, TA0006, and TA0009 signals so SOC teams can interrupt campaigns earlier.

Log360 supports this approach by mapping detections to MITRE ATT&CK context and enabling cross-tactic investigation. Analysts can pivot from exfiltration indicators to upstream behavior such as phishing delivery, suspicious PowerShell execution, credential dumping, and abnormal remote access to build complete incident scope.

Log360 rule library highlighting all the correlation rules of Exfiltration
Figure 4: Log360 rule library highlighting all the correlation rules of Exfiltration

Need to explore ManageEngine Log360? Schedule a personalized demo

FAQ

1. What is exfiltration (TA0010) in MITRE ATT&CK?

Exfiltration (TA0010) in the MITRE ATT&CK framework is the stage where adversaries remove data from your environment. It usually follows credential access, collection, and command-and-control activity.

2. How many Log360 detections map to exfiltration?

Log360 maps 67 detections to exfiltration-related behavior across Windows, network, and SonicWall telemetry. The public capability file shows strong adjacent detections and selective direct exfiltration signals, with custom rule opportunities for protocol-specific exfiltration patterns.

3. Can Log360 detect NTDS exfiltration attempts?

Yes. Log360 includes NTDS Exfiltration Filename Patterns and NTDS.DIT Created by Uncommon Process, which help detect attempts to stage and move Active Directory credential databases.

4. What logs are most important for exfiltration detection?

Prioritize endpoint process and file logs, AD object/file auditing, VPN and firewall telemetry, DNS logs, cloud audit trails, and collaboration platform logs. Log360 can correlate these sources to surface multi-step exfiltration chains.

5. What should SOC teams do first when exfiltration is detected?

Immediately contain the transfer path, isolate impacted endpoints, and preserve evidence. Then scope what was accessed and what left the environment using the correlated timeline.

6. How is exfiltration different from collection?

Collection is data gathering inside the victim environment; exfiltration is the outbound transfer outside your control boundary. Detection strategy should distinguish internal staging from outbound movement and correlate both to reduce false positives.

On this page
 
  • What is Exfiltration (TA0011)?
  • Why exfiltration is high impact
  • Technique coverage at a glance
  • Detecting T1048
  • Detecting T1041
  • Detecting cloud-storage exfiltration (T1567)
  • Signals and telemetry architecture
  • Threat hunting queries
  • Response and containment playbook
  • How TA0010 connects to other tactics
  • FAQ