Notes on Evidence of Exfiltration - davepo/AKA GitHub Wiki

Evidence of Exfiltration

Document Incomplete - Notes not yet added

Notes on items to consider when investigating evidence of exfiltration. This is not an all-encompassing list and is presented in no particular order.

Compression

  • Evidence of execution of compression tools (ie. 7zip)

Clustering

  • Clustering of unrelated or high-value files in an abnormal location.