Automated Exfiltration

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

ID: T1020
Sub-techniques:  T1020.001
Tactic: Exfiltration
Platforms: Linux, Network, Windows, macOS
Contributors: ExtraHop
Version: 1.2
Created: 31 May 2017
Last Modified: 19 April 2022

Procedure Examples

ID Name Description
S0438 Attor

Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.[1]

S0050 CosmicDuke

CosmicDuke exfiltrates collected files automatically over FTP to remote servers.[2]

S0538 Crutch

Crutch has automatically exfiltrated stolen files to Dropbox.[3]

S0600 Doki

Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.[4]

S0377 Ebury

Ebury can automatically exfiltrate gathered SSH credentials.[5]

S0363 Empire

Empire has the ability to automatically send collected data back to the threat actors' C2.[6]

C0001 Frankenstein

During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2.[6]

G0047 Gamaredon Group

Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.[7]

G0004 Ke3chang

Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.[8]

S0395 LightNeuron

LightNeuron can be configured to automatically exfiltrate files under a specified directory.[9]

S0409 Machete

Machete’s collected files are exfiltrated automatically to remote servers.[10]

S1017 OutSteel

OutSteel can automatically upload collected files to its C2 server.[11]

S0643 Peppy

Peppy has the ability to automatically exfiltrate files and keylogs.[12]

S0090 Rover

Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.[13]

S0445 ShimRatReporter

ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.[14]

G0121 Sidewinder

Sidewinder has configured tools to automatically send collected files to attacker controlled servers.[15]

S0491 StrongPity

StrongPity can automatically exfiltrate collected documents to the C2 server.[16][17]

S0467 TajMahal

TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2.[18]

S0131 TINYTYPHON

When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.[19]

G0081 Tropic Trooper

Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.[20]

S0136 USBStealer

USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. [21]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection

DS0022 File File Access

Monitor for abnormal access to files (i.e. .pdf, .docx, .jpg, etc.), especially sensitive documents, through the use of automated processing after being gathered during Collection.

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections associated with processes performing collection activity, especially those involving abnormal/untrusted hosts.

Network Traffic Content

Monitor network traffic content for evidence of data exfiltration, such as gratuitous or anomalous outbound traffic containing collected data. Consider correlation with process monitoring and command lines associated with collection and exfiltration.

Network Traffic Flow

Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpected hardware devices, or other uncommon data flows.

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

References

  1. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  2. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  3. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  4. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  5. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
  6. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  7. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  8. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  9. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  10. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  11. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.