Evidence of Exfiltration

Document Incomplete - Notes not yet added

Notes on items to consider when investigating evidence of exfiltration. This is not an all-encompassing list and is presented in no particular order.

Compression

• Evidence of execution of compression tools (ie. 7zip)

Clustering

• Clustering of unrelated or high-value files in an abnormal location.