Keypoints
- Automated scripts scan and collect targeted files across hosts and shares, enabling scale and speed in data theft.
- Collected data is often compressed, encrypted, or chunked to evade size and content checks during transfer.
- Exfiltration commonly leverages existing channels like C2, HTTP(S), DNS, or alternative protocols to blend with normal traffic.
- Process and file access patterns reveal suspicious automation, such as repeated read operations by nonstandard processes.
- Detection requires correlating file access, script execution, and anomalous outbound connections across endpoints and network devices.
Description:
- Like a conveyor belt in a factory that automatically gathers products from many stations and sends them out the door, automated exfiltration collects files across systems and pipelines them out without human handling.
- Adversaries run automated tooling or scripts that recursively gather sensitive documents, package or transform them, and transfer them out via network channels. This enables scalable, fast data theft and often pairs with other exfiltration methods to bypass controls, making rapid and widespread impact possible.
Detection:
- Monitor file access logs for high-volume or repetitive reads by atypical processes; use EDR to flag processes reading many files or file types not usual for that process.
- Alert on script execution patterns (PowerShell, Bash, Python, WMI scripts) combined with large file reads; collect Script Execution telemetry and whitelist known admin automation.
- Analyze outbound network connection creation and flow records for unusual destinations, recurring short connections, or steady flows after file access; use NetFlow/PCAP and proxy logs.
- Inspect network traffic content for compressed or encrypted payloads immediately following file access events; enable TLS inspection or metadata analysis where policy allows.
- Correlate command execution telemetry with file access and subsequent network traffic to identify automation chains; implement SIEM rules to join these events across sources.
- Watch network device logs for protocol abuse (DNS tunneling, unusual SMTP/FTP usage) and anomalous ports; deploy protocol anomaly detection and DNS analytics.
- Reduce false positives by baselining normal backup and sync tools, and exclude approved automation. Use reputation and destination allowlists, and validate alerts with process ancestry and user context.
Tactics:
Exfiltration
Platforms:
Linux, Network Devices, Windows, macOS
Data Sources:
Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Script: Script Execution
Relationship Citations:
(Citation: FOX-IT May 2016 Mofang),(Citation: ESET Windigo Mar 2014),(Citation: Kaspersky TajMahal April 2019),(Citation: group-ib_redcurl1),(Citation: Talos Promethium June 2020),(Citation: group-ib_redcurl2),(Citation: Bitdefender StrongPity June 2020),(Citation: Forcepoint Monsoon),(Citation: F-Secure Cosmicduke),(Citation: DCSO StrelaStealer 2022),(Citation: Microsoft NICKEL December 2021),(Citation: ESET Crutch December 2020),(Citation: Palo Alto Rover),(Citation: S2W Racoon 2022),(Citation: IBM StrelaStealer 2024),(Citation: ESET LightNeuron May 2019),(Citation: CCCS ArcaneDoor 2024),(Citation: TrendMicro Tropic Trooper May 2020),(Citation: Symantec Bilbug 2022),(Citation: ESET Machete July 2019),(Citation: ESET OilRig Campaigns Sep 2023),(Citation: Talos Frankenstein June 2019),(Citation: CERT-UA WinterVivern 2023),(Citation: ESET Attor Oct 2019),(Citation: ESET Gamaredon June 2020),(Citation: Sekoia Raccoon1 2022),(Citation: Sekoia Raccoon2 2022),(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ),(Citation: Intezer Doki July 20),(Citation: ATT Sidewinder January 2021),(Citation: ESET Sednit USBStealer 2014),(Citation: Proofpoint Operation Transparent Tribe March 2016),(Citation: ESET Ebury May 2024),
Read More: https://attack.mitre.org/techniques/T1020