Searches for data exfiltration
| Data types | Description | Acknowledgments |
|---|---|---|
| Endpoint / network | 1fichier | - |
| Endpoint / network | 4downfiles | - |
| Endpoint / network | 4Shared | - |
| Endpoint / network | ADrive | - |
| Endpoint | Airdrop activity | https://twitter.com/plugxor/status/1113360821441114112?s=20 |
| Endpoint / network | Akcdkvdo | - |
| Endpoint / network | Anomalous AFP activity | - |
| Endpoint / network | Anomalous Azure CFS activity | https://twitter.com/j_angliss/status/1113601017210384386 |
| Endpoint / network | Anomalous B2 Cloud Storage activity | https://twitter.com/knottkatt/status/1113633661683765251 |
| Endpoint / network | Anomalous Backblaze activity | https://twitter.com/knottkatt/status/1113633661683765250 |
| Endpoint / network | Anomalous BGP activity | - |
| Endpoint / network | Anomalous bluetooth activity | https://twitter.com/gaunt_argon/status/1113587532032368645 |
| Endpoint / network | Anomalous connections from IoT subnets | https://twitter.com/gaunt_argon/status/1113587532032368647 |
| Endpoint / network | Anomalous connections to IoT subnets | https://twitter.com/gaunt_argon/status/1113587532032368646 |
| Endpoint / network | Anomalous database port activity | - |
| Endpoint / network | Anomalous DNS Outbound | - |
| Endpoint / network | Anomalous DNS Traffic | - |
| Endpoint / network | Anomalous FTP activity | - |
| Endpoint / network | Anomalous GCP PubSub Activity | - |
| Endpoint / network | Anomalous Google docs activity | https://twitter.com/j_angliss/status/1113601017210384385 |
| Endpoint / network | Anomalous HTTP activity | - |
| Endpoint / network | Anomalous ICMP Outbound😊 | - |
| Endpoint / network | Anomalous IMAP Outbound | - |
| Endpoint / network | Anomalous Kafka activity | https://twitter.com/formatamerica/status/1113607427751055361 |
| Endpoint / network | Anomalous NFS activity | - |
| Endpoint / network | Anomalous POP3 Outbound | - |
| Endpoint / network | Anomalous RabbitMQ activity | https://twitter.com/formatamerica/status/1113607427751055360 |
| Endpoint / network | Anomalous RDP Outbound | - |
| Endpoint / network | Anomalous rsynch activity | - |
| Endpoint / network | Anomalous SCP Outbound | - |
| Endpoint / network | Anomalous SIP activity | https://twitter.com/zamboughnuts/status/1113681664197242881 |
| Endpoint / network | Anomalous SMB / CIFS activity | - |
| Endpoint / network | Anomalous SMTP Outbound | - |
| Endpoint / network | Anomalous SNMP activity | https://twitter.com/p0lyblank/status/1116039542954504192 |
| Endpoint / network | Anomalous SSDP activity | https://twitter.com/starksean/status/1113226004053491713?s=22 |
| Endpoint / network | Anomalous SSH Outbound | - |
| Endpoint / network | Anomalous STUN activity | - |
| Endpoint / network | Anomalous TFTP Outbound | - |
| Endpoint / network | Anomalous TLS mutual auth outbound | https://twitter.com/SourceFrenchy/status/1113159310161403911?s=20 |
| Endpoint / network | Anomalous UDP activity | - |
| Endpoint / network | Anomalous UPNP activity | https://twitter.com/starksean/status/1113226004053491713?s=21 |
| Endpoint / network | Anomalous webDAV Outbound | - |
| Endpoint / network | Anomalous WhatsApp activity | https://twitter.com/gaunt_argon/status/1113571771641413636 |
| Endpoint / network | Anomalous whois activity | - |
| Endpoint | Anomalous WiFi network addition | https://twitter.com/starksean/status/1113226004053491713?s=23 |
| Endpoint | Anomalous X Windows Activity | - |
| Endpoint / network | Badongo | - |
| Endpoint / network | Bandcamp | - |
| Endpoint / network | BigUpload | - |
| Endpoint / network | Bitbucket | - |
| Endpoint / network | BMC remote serial console | https://twitter.com/kc8apf/status/1113633350630006785 |
| Endpoint / network | BMC virtual media activity | https://twitter.com/kc8apf/status/1113633350630006784 |
| Endpoint / network | Box.com | - |
| Endpoint / network | Chat activity | - |
| Endpoint | command line mail activity (sendmail, etc.) | - |
| Endpoint | CPU util square wave side channel between two VMs (DEF CON 2015/16) | - |
| Endpoint / network | Data intensive outbound web activity | - |
| Endpoint | dd / kmem data piped to ssh | https://twitter.com/The_IMOL/status/1113094683721428992?s=20 |
| Endpoint / network | DigitalOcean Spaces | - |
| Endpoint / network | Discord | https://twitter.com/_Bytemare/status/1117702854632980482 |
| Endpoint / network | DivShare | - |
| Endpoint / network | Docker | API, File Etc. |
| Endpoint / network | Dontpad | - |
| Endpoint / network | Driveway | - |
| Endpoint / network | Drop.io | - |
| Endpoint / network | Dropbox | https://twitter.com/SirMuDbl00d |
| Endpoint / network | DropSend | - |
| Endpoint / network | DynamoDB ETL | - |
| Endpoint | echo command activity | - |
| Endpoint / network | eFileCabinet | - |
| Endpoint / network | ElastiCache | - |
| Endpoint / network | Email drafting | https://twitter.com/n1c_fury/status/1113702163375464448 |
| Endpoint / network | Facebook Messenger | - |
| Endpoint / network | Facebook photos | - |
| Endpoint / network | File Dropper | - |
| Endpoint / network | File Savr | - |
| Endpoint / network | FileFactory | - |
| Endpoint / network | Filerio | - |
| Endpoint / network | Files2U | - |
| Endpoint / network | FileZilla | - |
| Endpoint / network | fireaway activity (https://github.com/tcstool/Fireaway) | https://twitter.com/tcstoolHax0r/status/1113427818145357824?s=20 |
| Endpoint / network | Firebase | - |
| Endpoint / network | Firefox Send | https://twitter.com/MetalPlates/status/1113859958095863808 |
| Endpoint / network | Flickr | - |
| Endpoint | ftp command activity | - |
| Endpoint / network | GCP SQL ETL | - |
| Endpoint / network | GCP Storage uplaod | - |
| Endpoint / network | GDrive upload | - |
| Endpoint / network | Ghostbin | - |
| Endpoint / network | Github | commit messages with c2 instructions |
| Endpoint / network | GlassCubes | - |
| Endpoint / network | Gmail upload | - |
| Endpoint / network | Go2Meeting activity | - |
| Endpoint / network | Google hangout | - |
| Endpoint / network | Google image search redirect | https://twitter.com/ryancdotorg/status/1113449952892424193 |
| Endpoint / network | Google photos | - |
| Endpoint / network | GRE | https://twitter.com/SamStelfox/status/1114041979694923781 |
| Endpoint / network | HasteBin and assorted services? | - |
| Endpoint / network | Hightail | - |
| Endpoint / network | HTTP Header Blobs | https://twitter.com/dracyrys/status/1114113016012783618 |
| Endpoint / network | iCloud upload | - |
| Endpoint / network | ilos | - |
| Endpoint / network | imgur.com | - |
| Endpoint / network | - | |
| Endpoint / network | iodine activity | - |
| Endpoint / network | IP over AC with QoS | https://tools.ietf.org/html/rfc2549 |
| Endpoint / network | IP-IP | https://twitter.com/SamStelfox/status/1114041979694923782 |
| Endpoint / network | IPv6 mobility discovery requests | https://twitter.com/SamStelfox/status/1114041979694923778 |
| Endpoint / network | IRC activity | - |
| Endpoint | iTunes uploads | https://twitter.æ/plugxor/status/1113360821441114112?s=20 |
| Endpoint / network | Jumpshare | - |
| Endpoint / network | Keybase | https://twitter.com/_Bytemare/status/1117702854632980485 |
| Endpoint / network | large outbound byte count | Where aggregate bytes out totals more than 100 MB |
| Endpoint / network | Line | https://twitter.com/_Bytemare/status/1117702854632980484 |
| Endpoint / network | https://twitter.com/Daniel_Cybersec/status/1113643592701153280 | |
| Endpoint / network | Local Directory | - |
| Endpoint / network | Long flows | - |
| Endpoint / network | long outbound connection | Where the first event and last event are 12 hours apart |
| Endpoint | Magic Wormhole | https://github.com/warner/magic-wormhole |
| Endpoint / network | mailbigfile.com | - |
| Endpoint / network | Mailslots | - |
| Endpoint / network | MediaFire | - |
| Endpoint / network | MEGA | - |
| Endpoint / network | MegaUpload | - |
| Endpoint | Mosquito | https://twitter.com/dyspyra/status/1113480669877948416?s=20 |
| Endpoint / network | MSSQL ETL | - |
| Endpoint | Multi-function printers | - |
| Endpoint / network | MySQL ETL | - |
| Endpoint | net use command activity | - |
| Endpoint | Netcat data transfer | - |
| Endpoint / network | Nextcloud Talk | https://twitter.com/_Bytemare/status/1117702854632980483 |
| Endpoint | NFCDrip | https://twitter.com/p0lyblank/status/1116039542954504192 |
| Endpoint | ngrok | https://twitter.com/plugxor/status/1113360821441114112?s=20 |
| Endpoint / network | Nitroflare | - |
| Endpoint / network | Non-Critical IPv6 headers | https://twitter.com/SamStelfox/status/1114041979694923777 |
| Endpoint / network | OneDrive upload | - |
| Endpoint / network | Outbound data geometry | - |
| Endpoint / network | Pan.baidu | - |
| Endpoint / network | Pando | - |
| Endpoint | password protected archive file outbound | - |
| Endpoint / network | PasteBin | - |
| Endpoint | payload2wav activity | https://twitter.com/SourceFrenchy/status/1113159310161403911?s=20 |
| Endpoint / network | PCAnywhere activity | - |
| Endpoint / network | Peer-to-Peer activity | - |
| Endpoint / network | Piggybacked regular files | - |
| Endpoint / network | PipeBytes | - |
| Endpoint / network | Postgresql synch | - |
| Endpoint | Power line signaling (DEF CON 2010) | - |
| Endpoint / network | Rapidgator | - |
| Endpoint / network | Rapidshare activity | - |
| Endpoint / network | RDS ETL | - |
| Endpoint / network | RealtimeBoard | - |
| Endpoint / network | - | |
| Endpoint / network | Redis | - |
| Endpoint / network | rocket[.]chat | https://twitter.com/_Bytemare/status/1117702854632980481 |
| Endpoint / network | rsync | - |
| Endpoint / network | Russian VKontakte social media site | - |
| Endpoint / network | S3 upload | - |
| Endpoint / network | sasda | should include image steganography |
| Endpoint | scapy activity | https://twitter.com/DgLeukocyte/status/1113486781901467649?s=20 |
| Endpoint / network | SCP command activity | - |
| Endpoint / network | SCTP Activity | https://twitter.com/SamStelfox/status/1114041979694923780 |
| Endpoint | SDR client / device driver activity | - |
| Endpoint / network | Send | - |
| Endpoint / network | Send Anywhere | - |
| Endpoint / network | Send Firefox | - |
| Endpoint | Sendspace activity | - |
| Endpoint / network | SendThisFile | - |
| Endpoint / network | Senduit | - |
| Endpoint / network | Sharefile | - |
| Endpoint / network | Sharefile | - |
| Endpoint / network | Sharepoint upload | - |
| Endpoint | Short range audio transmision (who did this?) | http://www.erikyyy.de/tempest/ |
| Endpoint / network | Signal | https://twitter.com/_Bytemare/status/1117702854632980480 |
| Endpoint / network | Skype upload | - |
| Endpoint / network | Slack | - |
| Endpoint / network | Smash | - |
| Endpoint | smb command activity | - |
| Endpoint / network | Snapchat | - |
| Endpoint | Social media activity from a non-browser | - |
| Endpoint / network | Solidfiles | - |
| Endpoint / network | Soundcloud | - |
| Endpoint / network | SQS messaging | - |
| Endpoint / network | SSH tunneling | - |
| Endpoint / network | Streamfile | - |
| Endpoint / network | Subyshare | - |
| Endpoint / network | TCP flags as covert channel | https://www.xc0re.net/2018/05/21/tcp-based-covert-channel/ |
| Endpoint / network | TCP Window Blobs | https://twitter.com/dracyrys/status/1114113016012783617 |
| Endpoint / network | TeamViewer activity | - |
| Endpoint / network | Telegram activity | https://twitter.com/gaunt_argon/status/1113571771641413633 |
| Endpoint / network | Telnet activity | https://twitter.com/Scott_Stanton/status/1113620237092626432 |
| Endpoint / network | Terashare | - |
| Endpoint / network | Teredo | https://twitter.com/SamStelfox/status/1114041979694923779 |
| Endpoint / network | TFTP Actvitiy | - |
| Endpoint / network | Tinyupload | - |
| Endpoint / network | Torrent activity | - |
| Endpoint / network | TransferBigFiles | - |
| Endpoint / network | Uploaded | - |
| Endpoint / network | Uptobox | - |
| Endpoint / network | Usenet /newsgroup activity | https://twitter.com/plugxor/status/1113360821441114112?s=20 |
| Endpoint / network | Userscloud | - |
| Endpoint | VM side channel shown at Shmoo 2019 | - |
| Endpoint / network | VNC Activity | - |
| Endpoint / network | Volafile | - |
| Endpoint / network | Web based file transfer activity | - |
| Endpoint / network | Webex | - |
| Endpoint / network | Wetransfer | - |
| Endpoint / network | Wetransfer activity | https://twitter.com/jimiDFIR/status/1113589116799791104 |
| Endpoint / network | Wickr activity | https://twitter.com/gaunt_argon/status/1113571771641413635 |
| Endpoint / network | Wikipedia | https://twitter.com/Daniel_Cybersec/status/1117413311254077440 |
| Endpoint / network | Wikisend | - |
| Endpoint / network | WinRM / psessions | https://twitter.com/mewhooo/status/1113665836995076097 |
| Endpoint / network | WinSCP | - |
| Endpoint / network | Wire activity | https://twitter.com/gaunt_argon/status/1113571771641413634 |
| Endpoint / network | Yahoo mail | - |
| Endpoint / network | Yousendit | - |
| Endpoint / network | Youtube | - |
| Endpoint / network | ZeroTier | https://www.zerotier.com/ |
| Endpoint / network | Zeta Uploader | - |
| Endpoint / network | Zoho Docs | - |
| Endpoint / network | Zoom | and transcript service that is a third party to Zoom |