This micro emulation plan targets malicious activity surrounding TA0010 Exfiltration. Data theft via exfiltration is very often part of, if not the primary objective, of an intrusion/campaign and is comprised of compound behaviors involving both exfiltration as well as TA0009 Collection techniques.
You can access the binary for this micro plan as part of the latest release.
Table Of Contents:
What are we doing? This module provides an easy-to-execute tool that:
- Creates dummy files
- Enumerates the dummy files (T1083 File and Directory Discovery)
- Reads the dummy files (T1005 Data from Local System) then creates a local zip archive of the data (T1560.002 Archive Collected Data: Archive via Library + T1074.001 Data Staged: Local Data Staging)
- [Optional] encrypts the archive file (T1027 Obfuscated Files or Information)
- Exfiltrates the archive file to a dummy server (T1048 Exfiltration Over Alternative Protocol) over a specified IP:Port as well as protocol (TCP, TLS, QUIC)
- Deletes the archive file (T1070.004 Indicator Removal: File Deletion) as well as the dummy files
Why should you care? Exfiltration of sensitive data is a very common goal for intrusion campaigns (and often included in tandem with other actions, such as double extortion ransomware). This establishes data theft as a prioritized threat for organizations of all sizes, industries, and geographies.
Data theft most directly maps to techniques within TA0010 Exfiltration, but is often a compilation and conclusion to a series of related behaviors involving TA0007 Discovery, TA0009 Collection, TA0011 Command and Control, and even TA0005 Defense Evasion techniques.
This cross-platform module (separate binaries for Windows and Linux) has been compiled into an easy-to-execute tool. The module is logically split as a client and server communication nodes, but can be fully executed on one host. If you wish to customize or build from source code, Windows/Linux binaries can be made using make windows and make linux respectively.
By default the data_exfil_windows.exe (or data_exfil_linux) tool coordinates execution and connection between the server and the client over localhost (though two instances of the tool can be separately executed to connect over a specific IP:Port socket).
Default parameters are set to enable simple execution requiring no user inputs (i.e. double click), but available command-line parameters can be found by running the tool with the -h option.
For TLS and QUIC protocols, a certificate + key is required (and also provided in the pre-compiled zip). createcerts.sh can be used to generate new certs as needed.
Detecting data theft in aggregate may be challenging, as many of the relevant actions are otherwise benign and potentially high volume. Decomposing the compound behavior into individual techniques may reveal actionable defensive opportunities, such as:
- Abnormal file access patterns, especially high volumes targeting potentially sensitive data
- Execution of processes (e.g.,
WinRAR.exe) as well as creation of files (e.g.,.zip) associated with creating data archives - Network connections to suspicious/known malicious destinations (including online data storage sites and services), especially if PCAP is available to show large or otherwise irregular patterns of data flow and/or protocol abuse
- A disproportionate amount of outbound data to external IPs
Similarly, opportunities to prevent data theft must be balanced against the normal accepted activity of systems and users. However, data loss prevention (DLP) strategies may help identify and restrict operations involving sensitive data.
From a network level, network signatures targeting large or otherwise irregular volumes, known patterns of protocol abuse (e.g., DNS tunneling), as well as out-of-policy destinations (e.g., unknown or known malicious) may block potentially malicious data exfiltration.