From b531c3e775518041ae24766a606aafd4d1a5a537 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 27 Sep 2020 12:22:16 -0500
Subject: [PATCH] Putting wrap on Exfil queries for now

---
 Tactics/Exfiltration.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/Tactics/Exfiltration.md b/Tactics/Exfiltration.md
index e2964db..82d7024 100644
--- a/Tactics/Exfiltration.md
+++ b/Tactics/Exfiltration.md
@@ -1,10 +1,12 @@
 ## Exfiltration
 
+There are a number of ways to use current supported indicators to detect data exfiltration, some with higher accuracy than others. Detection by command lines can have environmental noise, detection based on network connection indicators may require lost of custom filtering as well. Exfiltration queries need to be expanded, but for now I've limited them to the Atomic Red Team tests that can be detected.
+
 ### T1020 Automated Exfiltration
 Atomics: [T1020](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md)
 
+Detection of powershell data POST and PUT with Invoke-WebRequest. 
 
-### T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
-Atomics: [T1048.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md)
-
-
+```
+SrcProcCmdLine ContainsCIS "Invoke-WebRequest" AND (SrcProcCmdLine ContainsCIS "-Method Put" OR SrcProcCmdLine ContainsCIS "-Method Post")
+```