Data Exfiltration

Data Exfiltration (Windows/Mac)

The following out-of-the-box alert rules are assigned to the (Windows/Mac) Category: DATA EXFILTRATION.

ALERT RULE

Description

Accessing upload and sharing cloud services

An alert is triggered upon browsing to websites that offer cloud transfer or storage services, in order to potentially upload a file and share it with another person. This action can indicate an intent to remove sensitive information from the organization.

Browsing for files to be inserted as an attachment in Outlook

An alert is triggered when any user browses for a file to be inserted as an attachment to an Outlook email message.

Connecting unlisted USB device

An alert is triggered upon either insertion of a USB device or detecting an already connected USB device which is not part of the white listed USB devices. Note that this alert is relevant only for agents from version 7.7 onward.

Connecting USB Storage Device (before 7.7)

An alert is triggered upon connecting a USB storage device to the computer with an agent older than version 7.7. This operation can indicate an early intent to either take out sensitive information or to copy files/folders into the organization assets.

Connecting white listed or ignored USB device

An alert is triggered upon either insertion of a USB device or detecting an already connected USB device which is either white listed or exists in the ignored list.

Copying any text from a sensitive file

An alert is triggered when any user copies text from a file in the list named “Sensitive files”.

Copying any text from sensitive desktop application

An alert is triggered upon copying to the clipboard any text from a predefined sensitive desktop application.

Copying any text from sensitive web application

An alert is triggered upon copying to the clipboard any text from a predefined sensitive web application.

Copying credit card number to the clipboard

An alert is triggered when a credit card number is copied to the clipboard.

Copying predefined keyword from sensitive web application

An alert is triggered upon copying to the clipboard a predefined keyword from a predefined sensitive web application.

Copying predefined keyword from sensitive desktop application

An alert is triggered upon copying to the clipboard a predefined keyword from a predefined sensitive desktop application.

Copying sensitive file

An alert is triggered upon copying to the clipboard files that are predefined as sensitive. This operation could indicate an intent to steal sensitive information from the organization.

Copying sensitive folder

An alert is triggered upon copying to the clipboard folders that are predefined as sensitive. This operation could indicate an intent to steal sensitive information from the organization.

Exfiltrating a file that was tagged with a sensitive MIP label

An alert is triggered upon exfiltrating any file (tracked or non-tracked) whose either origin (upon beginning of tracking) or final (upon exfiltration) MIP label is part of the list of sensitive labels.

Exfiltrating a file to an unlisted USB device

An alert is triggered upon exfiltrating a file (both tracked file and non-tracked file) to an unlisted USB device. Note that this rule will not be triggered for files named in the exclusion list: Excluded file names for alerts on exfiltration.

Exfiltrating a file to the web by uploading

An alert is triggered when any user uploads any file from any origin to any website or web-application.

Exfiltrating tracked file to a cloud sync folder or any web file

An alert is triggered when any user moves or copies a tracked file (downloaded or exported from the web) to a cloud storage sync folder.

Exfiltrating tracked file to the web by uploading

An alert is triggered when any user uploads a tracked (downloaded or exported from the web) file to any website or web-application.

Exfiltrating sensitive data via SFTP, SCP or RSYNC to Amazon

An alert is triggered when any user attempts to exfiltrate sensitive data via SFTP, SCP or RSYNC to Amazon.

Exporting data from enterprise web application by file downloading

An alert is triggered upon downloading a file from a list of sensitive enterprise web applications.

Opening AirDrop sharing folder on Mac

Note: This rule applies specifically on Mac systems.

An alert is triggered upon opening a local folder that allows sharing with a remote device. This operation can indicate an early intent to copy sensitive information to other devices to exfiltrate it from the organization.

Opening cloud storage sync folder

An alert is triggered upon opening a local folder whose content is always synchronized with a remote cloud storage service. This operation could indicate an intent to copy sensitive information to this folder in order to steal it from the organization.

Opening cloud storage sync folder on Mac

Note: This rule applies specifically on Mac systems.

An alert is triggered upon opening a local folder in which content is always synchronized with a remote cloud storage service. This operation can indicate an early intent to copy sensitive information to this folder to exfiltrate it from the organization.

Pasting files copied from sensitive folders

An alert is triggered upon pasting files or folders that were originally copied from a folder that appears in the list of sensitive folders.

Pasting screenshot or image into sensitive desktop application

An alert is triggered upon performing paste of screenshot or image into desktop application (Accessing cloud services for upload and sharing by Process Name) that is part of the list of sensitive desktop applications for pasting text or images into them.

Pasting screenshot or image into sensitive web application

An alert is triggered upon performing paste of screenshot or image into web application (by site name) that is part of the list of sensitive web applications for pasting text or images into them.

Pasting text into sensitive desktop application

An alert it triggered upon performing paste of text into application (by Process Name) that is part of the list of sensitive desktop applications for pasting text into them.

Pasting text into sensitive web application

An alert is triggered upon performing paste of text into a web application (by site name) that is part of the list of sensitive web applications for pasting text into them.

Pasting text that contains predefined sensitive keywords

An alert is triggered upon pasting text that contains keywords that are part of the list of sensitive keywords to be monitored for copy & paste.

Pasting text that contains predefined sensitive keywords

An alert is triggered upon pasting text that contains keywords that are part of the list of sensitive keywords to be monitored for copy & paste.

Pasting sensitive files or folders

An alert is triggered upon pasting files or folders that are part of the list of sensitive files or the list of sensitive folders.

Performing large file or folder copy

An alert is triggered upon copying to clipboard either a large number of files/folders or files/folders whose total size exceeds the thresholds defined in Server Policy. This action could indicate an intent to steal information from the organization.

Performing large file or folder copy during irregular hours

 

An alert is triggered upon copying to clipboard during irregular working hours either a large number of files/folders or files/folders whose total size exceeds the thresholds defined in a Server Policy. This could indicate an intent to steal information.

Printing large number of pages during irregular hours

 

An alert is triggered upon sending large number of pages to a printer during irregular working hours. This action could indicate that the user is stealing information from the organization.

Printing sensitive documents

 

An alert is triggered upon sending to a printer one of the predefined sensitive documents. This action could indicate that the user is stealing sensitive information from the organization.

Running a cloud backup application

 

An alert is triggered upon running a cloud backup software that can copy files/folders to a remote location. This action could indicate an intent to steal sensitive information from the organization.

Running Android File Transfer on Mac

Note: This rule applies specifically on Mac systems.

An alert is triggered upon using the Android File Transfer application on Mac. This operation can indicate an early intent to copy sensitive information to a private phone to exfiltrate it from the organization.

Running CD or DVD burning tools

 

An alert is triggered upon running a CD/DVD burning software. This operation could indicate an intent to steal sensitive information from the organization.

Saving email file attachment to a local sync folder

This alert will be triggered upon saving a file attachment from email client directly to one of the supported local sync folders.

Saving email file attachment to a USB storage device

This alert will be triggered upon saving a file attachment from email client directly to a USB storage device.

Sending email with large file attachment to untrusted domain

This alert will be triggered upon sending out email to at least one untrusted domain with file attachment which is larger than predefined value (5MB by default).

Sending email with sensitive file attachment to untrusted domain

This alert will be triggered upon sending out email with file attachment whose name is within the predefined list of sensitive files, and where at least one of the recipients is within untrusted domain.

Sending email with sensitive keywords in Subject to untrusted domain

This alert will be triggered upon sending out email that contains in the Subject a sensitive keyword (that appears in a dedicated list), and where the list of recipients includes at least one recipient in an untrusted domain.

Synchronizing MS-Office document with another Microsoft account

An alert is triggered upon opening the Switch Account window in Microsoft Office applications. This action could indicate an intent to send the currently opened document out of the organization to a private account.

Taking screenshot using keyboard shortcut

An alert is triggered upon taking screenshots on Windows or Mac via the relevant keyboard shortcuts in each operating system.

Typing sensitive intellectual property related words in web mail, Chat, IM, Social Media sites

An alert is triggered upon browsing to web mail, Chat, IM or Social Media sites and typing words that are confidential from intellectual property aspects.

Uploading files to a web site using curl on Mac

An alert is triggered when any user on a Mac endpoint attempts to use curl to upload a file to any website.

Uploading or sharing files via cloud storage services

An alert is triggered upon browsing to websites that offer cloud transfer or storage services, in order to potentially upload a file and share it with another person. This action could indicate an intent to steal sensitive information from the organization.

 

Data Exfiltration (Unix/Linux)

The following out-of-the-box alert rules are assigned to the (Unix/Linux) Category: DATA EXFILTRATION.

ALERT RULE

Description

Exfiltrating data from the server via Unix email tools

An alert is triggered upon running Unix email tools (such as MAILX, SSMTP, MAIL, SENDMAIL, MUTT) to transfer data out of the server.

Exfiltrating data via email using TELNET

An alert is triggered upon running TELNET to send out an email from the server.

Exfiltrating sensitive system files via SFTP, SCP or RSYNC

An alert is triggered upon running an SFTP/SCP or RSYNC command in order to exfiltrate a file from a sensitive directory.

Exfiltrating SSL certificates and associated private keys via SFTP, SCP or RSYNC

An alert is triggered when a user attempts to exfiltrate an SSL certificate using SFTP, SCP or RSYNC.

Potential backdoor data exfiltration using ICMP

An alert is triggered when a user attempts to exfiltrate system information using PING.

Prevent exfiltration of Passwd, Group, Shadow, Profile files via SFTP

An alert is triggered when Passwd, Group, Shadow or Profile files are exfiltrated via SFTP.

Prevent exfiltration of SSH or SSHD configuration files or keys via SFTP

An alert is triggered when SSH or SSHD configuration files or keys are exfiltrated via SFTP.

Retrieving the Passwd, Group, Shadow or Profile files via SFTP, SCP or RSYNC

An alert is triggered upon running the GET command via SFTP/SCP or RSYNC to retrieve sensitive files (Passwd, Group, Shadow or Profile) from a remote configuration directory.

Running SFTP, SCP or RSYNC on SSH or SSHD configuration files

An alert is triggered upon running the SFTP/SCP or RSYNC command to exfiltrate an SSH or SSHD configuration file from a server.

Uploading files to a web site using curl on Unix or Linux

An alert is triggered when any user on a Unix or Linux endpoint attempts to use curl to upload a file to any website.