Exfiltration Flashcards
Exfiltration
At some point an adversary needs to fulfil their objectives, quite often this could be to steal valuable data. These actions are referred to as exfiltration and is the tenth phase within MITRE. The Exfiltration phase consists of techniques used to steal data from the compromised network and systems, and ways of avoiding detection when completing this. This can include the compression, encryption or encoding of files when removing them from the network and typically involves transferring it over a command-and-control communication channel. Exfiltration has 9 techniques at the time of writing. We will be looking at the following:
Exfiltration Over C2 Channel
Scheduled Transfer
Exfil over C2 Channel
MITRE Technique T1041
A previously explained adversaries may use existing command and control channels to exfiltrate data out of a network. Adversaries can extract data within beacons calling out to their C2 servers.
A key way of checking for the exfiltration of files is to look for clients sending a significant amount of data out to a server. A NIDS (Network Intrusion Detection System) can also be utilised as rules can be created to alert on the ‘magic bytes’ of files. A rule can essentially be created to alert anytime a Microsoft Word file is seen been transferred over the network. Another method of detection is the initial detection of the C2 server itself, beacons will quite often call out to the external IP address at regular intervals with a slight “jitter” set by the adversary. Frequency analysis can be a common method of detecting this.
Scheduled Transfer
MITRE Technique T1029
Adversaries may schedule data exfiltration to occur only at specific times in an attempt to evade Network Intrusion Detection and Prevention Systems (NIDS/NIPS) or security analysts and ensure that they can exfiltrate as much data as possible before being discovered.
The ADVSTORESHELL malware will collect data, compress it, encrypt it, and upload it to the command-and-control server every 10 minutes. While this may be fairly easy to detect due to the short timeframe between uploads, this will ensure that a lot of data can be retrieved from the system quickly. Cobalt Strike, the popular offensive security platform can set the beacon payload (code that attempts to connect to the C2 server) to use a random interval to make it harder to spot. This tool can also break large files into smaller chunks to allow for more subtle transfer out of the network. Then both ComRAT and Dipsind can be set to only operate during standard business hours (9-5) to help it blend in with normal traffic.
A pretty essential mitigation is suggested, which is the use of NIDS/NIPS tools such as Snort and Bro/Zeek to detect, alert, and respond to suspicious or malicious activity over the network.
To detect this technique we should monitor for unusual processes that are accessing files and making network connections, as this could represent an adversary exfiltration data. Looking for network connections with large packets could assist with file upload detection.
