Full Report
Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is to go after sensitive information and exfiltrate it to servers under their control. To prevent this from occuring, a whole industry has popped up with the aim of stopping exfiltration attacks. However, often these are expensive and rarely work as expected. With this in mind, I created the Data Exfiltration Toolkit (DET) to help both penetration testers testing deployed security devices and those admins who’ve installed and configured them, to ensure they are working as expected and detecting when sensitive data is leaving the network.
Analysis Summary
# Tool/Technique: Data Exfiltration Toolkit (DET)
## Overview
The Data Exfiltration Toolkit (DET) is a generic, extensible framework designed to assist penetration testers and system administrators in testing and validating data exfiltration detection capabilities. Its primary goal is to facilitate the exfiltration of sensitive data using various channels (protocols/services) to ensure that deployed security controls are functioning correctly.
## Technical Details
- Type: Tool
- Platform: Not explicitly stated, but implied to be used in environments where data exfiltration occurs (likely Windows/Linux post-exploitation scenarios).
- Capabilities: Provides a framework to implement various data exfiltration protocols/services. Supports file retrieval, employs AES encryption, and uses multiple channels simultaneously.
- First Seen: Published March 19, 2016
## MITRE ATT&CK Mapping
Since DET is a tool designed for testing exfiltration, it directly maps to the Exfiltration tactic. The implementation capability suggests mappings across several methods:
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (If used over custom C2 channel)
- T1048 - Exfiltration Over Alternative Protocol
- T1048.003 - Exfiltration Over ICMP (Mentioned usage of ICMP channel)
- T1567 - Exfiltration To Cloud Storage (Implied, given mention of Gmail and Twitter)
- T1567.001 - Exfiltration To Cloud Storage: Email (Implied, given mention of Gmail)
- T1567.002 - Exfiltration To Cloud Storage: Social Media (Implied, given mention of Twitter)
## Functionality
### Core Capabilities
- Provides a generic framework allowing the implementation of *any* kind of protocol or service for exfiltration.
- Focuses on the core steps of data exfiltration: sending data and receiving confirmation/data back.
- Plugins follow an architecture supporting both sending and receiving capabilities.
### Advanced Features
- **Multi-Channel Support:** Capable of using one or several exfiltration channels simultaneously (e.g., used in videos combining Twitter and Gmail).
- **Encryption:** Integrates AES encryption for data concealment during transit.
- **Protocol Agnostic:** Designed to be extensible for various legitimate services often abused for data transfer (e.g., social media, email).
## Indicators of Compromise
As a general-purpose testing tool framework, specific IoCs depend entirely on how the user configures and deploys a plugin.
- File Hashes: Not provided in the article.
- File Names: Not provided in the article.
- Registry Keys: Not provided in the article.
- Network Indicators: The tool is designed to abuse legitimate services. Examples referenced include:
- Gmail (defanged: `mail[.]com`)
- Twitter (defanged: `twitter[.]com`)
- ICMP traffic (used for file retrieval).
- Behavioral Indicators:
- Execution of file/data retrieval commands via configured channels.
- Unusual volumes of encrypted data egressing via non-standard protocols (like ICMP).
## Associated Threat Actors
The tool itself was created by SensePost for red/purple teaming purposes. However, the article notes that the design is inspired by threat actors and campaigns that abuse legitimate services:
- References campaigns like **HammerToss** (attributed often to APT29/Cozy Bear).
- Techniques align with malware authors abusing third-party services (C&C as a Service concept).
## Detection Methods
Detection focuses on the abnormal use of seemingly legitimate services or hidden protocols for high-volume data transfer:
- Signature-based detection: Not directly applicable to the framework itself unless specific plugin payloads are signatured.
- Behavioral detection: Monitoring for large data transfers masked within common protocols (e.g., SMTP, DNS, ICMP) or excessive API usage corresponding to social media/cloud services for uploads.
- YARA rules: Not provided in the article.
## Mitigation Strategies
The tool is explicitly designed to challenge existing defenses; mitigation focuses on robust egress monitoring:
- **Egress Filtering:** Strict control over egress traffic, especially protocols like ICMP, which should be highly restricted.
- **Deep Packet Inspection (DPI):** Inspecting the payload structure and volume of traffic utilizing common services (Gmail, Twitter) to detect anomalous activity (e.g., unrecognized encryption patterns or large, non-standard uploads).
- **Application Whitelisting:** For critical services, restricting which processes are allowed to communicate externally.
- **Monitoring Legitimate Service Abuse:** Establishing baselines for legitimate cloud/social media usage and alerting on sudden spikes in data being sent to these external providers by unusual internal sources or in unusual volumes.
## Related Tools/Techniques
The tool draws inspiration from, or aims to mimic the functionality of, other tools that utilize legitimate services for command and control or exfiltration:
- **GCat** (Abuses Gmail for C2/exfiltration)
- **Twittor** (Abuses Twitter for C2/exfiltration)
- **HammerToss** (Campaign noted for using social media/legitimate channels)