This detection rule focuses on identifying potential data exfiltration attempts by monitoring the use of SNICat commands within the TLS Server Name Indication (SNI) field. SNICat is a tool known for covertly extracting data over TLS connections, which can pose significant risks to data confidentiality and integrity. The analytic utilizes data captured by Zeek SSL, specifically scrutinizing the `server_name` field for specific commands associated with SNICat such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. If any of these commands are detected, it indicates that an attempt to exfiltrate data may be occurring, thus triggering alerting mechanisms to investigate further. This rule is essential for organizations to enhance their capabilities in spotting and responding to severe data security breaches.