Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Automated Exfiltration

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

ID: T1020
Sub-techniques:  .001
Tactic(s): Exfiltration
Platforms: Linux, macOS, Network, Windows
Data Sources: Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Script: Script Execution
Version: 1.2
Created: 31 May 2017
Last Modified: 24 Jan 2024

Procedure Examples

Name Description
StrongPity

StrongPity can automatically exfiltrate collected documents to the C2 server.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)

LightNeuron

LightNeuron can be configured to automatically exfiltrate files under a specified directory.(Citation: ESET LightNeuron May 2019)

During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2.(Citation: Talos Frankenstein June 2019)

Frankenstein

Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.(Citation: Talos Frankenstein June 2019)

Sidewinder

Sidewinder has configured tools to automatically send collected files to attacker controlled servers.(Citation: ATT Sidewinder January 2021)

Empire

Empire has the ability to automatically send collected data back to the threat actors' C2.(Citation: Talos Frankenstein June 2019)

Doki

Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.(Citation: Intezer Doki July 20)

Rover

Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.(Citation: Palo Alto Rover)

OutSteel

OutSteel can automatically upload collected files to its C2 server.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Peppy

Peppy has the ability to automatically exfiltrate files and keylogs.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Machete

Machete’s collected files are exfiltrated automatically to remote servers.(Citation: ESET Machete July 2019)

Ebury

If credentials are not collected for two weeks, Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.(Citation: ESET Windigo Mar 2014)(Citation: ESET Ebury May 2024)

Raccoon Stealer

Raccoon Stealer will automatically collect and exfiltrate data identified in received configuration files from command and control nodes.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)

Ke3chang

Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.(Citation: Microsoft NICKEL December 2021)

RedCurl

RedCurl has used batch scripts to exfiltrate data.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)

TajMahal

TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2.(Citation: Kaspersky TajMahal April 2019)

Winter Vivern

Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.(Citation: CERT-UA WinterVivern 2023)

Honeybee

Honeybee performs data exfiltration is accomplished through the following command-line command: from (- --).txt.(Citation: McAfee Honeybee)

USBStealer

USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. (Citation: ESET Sednit USBStealer 2014)

Crutch

Crutch has automatically exfiltrated stolen files to Dropbox.(Citation: ESET Crutch December 2020)

Tropic Trooper

Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.(Citation: TrendMicro Tropic Trooper May 2020)

Gamaredon Group

Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.(Citation: ESET Gamaredon June 2020)

ShimRatReporter

ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.(Citation: FOX-IT May 2016 Mofang)

CosmicDuke

CosmicDuke exfiltrates collected files automatically over FTP to remote servers.(Citation: F-Secure Cosmicduke)

Attor

Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.(Citation: ESET Attor Oct 2019)

TINYTYPHON

When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.(Citation: Forcepoint Monsoon)

Mitigations

Mitigation Description
Automated Exfiltration Mitigation

Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.

References

  1. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  2. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  3. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  4. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  5. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  6. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  7. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  8. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  9. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  10. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  11. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  12. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  13. Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
  14. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
  15. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  16. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
  17. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  18. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  19. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  20. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  21. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  22. CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
  23. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  24. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  25. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  26. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  27. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  28. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  29. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.