1. Home
  2. Techniques
  3. Enterprise
  4. 自动化渗出

自动化渗出

ID Name
T1020.001 分片混淆渗出
T1020.002 合法协议隧道化渗出
T1020.003 低频时序渗出

自动化渗出指攻击者通过预设脚本或程序自动执行数据窃取与传输的过程,通常与数据收集阶段紧密衔接。该技术利用程序化操作实现高效持续的数据渗出,常通过命令控制信道(C2)或替代协议(如DNS、HTTP)进行传输。防御方可通过监控异常文件访问模式(如非业务进程遍历多目录)、检测非常规网络连接(如内部主机与未知外部端点持续通信)等手段进行识别,并采用数据流分析识别未授权传输行为。

为规避传统自动化渗出技术因数据量大、传输连续性强而易于被检测的缺陷,攻击者发展出多维度的隐蔽渗出技术,通过数据形态重构、协议深度伪装及时序智能调控等策略,将渗出行为解构为符合业务特征的微观数据流,在维持渗出效率的同时实现"数据即服务"的隐匿传输。

现有自动化渗出匿迹技术的核心逻辑聚焦于数据生命周期与网络行为的特征重构。攻击者通过分片混淆技术将数据原子化,破坏完整性检测条件;利用协议隧道化实现传输层合规性伪装,规避协议异常检测;借助低频时序控制融合业务流量节奏,消除行为异常性。三类技术的共性在于突破传统渗出行为的大流量、高连续性特征,通过数据微分化、协议标准化及时序自然化的协同作用,使每个渗出单元在数据形态、传输方式和时间分布等维度均符合合法业务特征。分片混淆渗出侧重数据本身的不可识别性,协议隧道化确保传输通道的合法性证明,低频时序控制则从行为模式层面实现隐匿,三者共同构建出"微观合规、宏观不可察"的新型渗出范式。

匿迹技术的演进导致传统基于流量阈值告警、协议合规检查的防御体系面临严峻挑战,防御方需构建细粒度数据流图谱分析能力,结合协议行为建模与上下文感知检测技术,实现渗出行为的跨协议关联识别,并引入数据血缘追踪机制应对分片混淆攻击。

ID: T1020
Sub-techniques:  T1020.001, T1020.002, T1020.003
Tactic: 数据渗出
Platforms: Linux, Network, Windows, macOS
Contributors: ExtraHop
Version: 1.2
Created: 31 May 2017
Last Modified: 24 January 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过深度协议仿真技术将渗出流量伪装成合法业务交互。例如利用标准HTTPS协议封装渗出数据,严格遵循TLS握手规范与HTTP头部格式,使流量在协议特征层面与正常Web服务完全一致。或通过模仿数据库备份服务的TCP窗口管理策略,使渗出流量在传输控制层面呈现合法特征。

数据遮蔽

采用多层加密与编码机制对渗出数据进行遮蔽,包括应用层AES-GCM加密、传输层TLS 1.3保护以及自定义二进制编码方案。部分技术结合区块链智能合约实现数据分片加密存储,确保单一片段无法还原有效信息。

时空释痕

通过低频时序控制与全球节点协同,将集中式渗出任务分解为长周期、低强度的离散操作。利用云函数等临时计算资源动态切换渗出端点,使单次行为特征低于检测阈值,整体攻击指纹被稀释在业务流量时间序列中。

Procedure Examples

ID Name Description
S0438 Attor

Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.[1]
S0050 CosmicDuke

CosmicDuke exfiltrates collected files automatically over FTP to remote servers.[2]
S0538 Crutch

Crutch has automatically exfiltrated stolen files to Dropbox.[3]
S0600 Doki

Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.[4]
S0377 Ebury

If credentials are not collected for two weeks, Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.[5][6]
S0363 Empire

Empire has the ability to automatically send collected data back to the threat actors' C2.[7]
C0001 Frankenstein

During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2.[7]
G0047 Gamaredon Group

Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.[8]
G0004 Ke3chang

Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.[9]
S0395 LightNeuron

LightNeuron can be configured to automatically exfiltrate files under a specified directory.[10]
S0409 Machete

Machete’s collected files are exfiltrated automatically to remote servers.[11]

S1017 OutSteel

OutSteel can automatically upload collected files to its C2 server.[12]
S0643 Peppy

Peppy has the ability to automatically exfiltrate files and keylogs.[13]
S1148 Raccoon Stealer

Raccoon Stealer will automatically collect and exfiltrate data identified in received configuration files from command and control nodes.[14][15][16]
G1039 RedCurl

RedCurl has used batch scripts to exfiltrate data.[17][18]
S0090 Rover

Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.[19]
S0445 ShimRatReporter

ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.[20]
G0121 Sidewinder

Sidewinder has configured tools to automatically send collected files to attacker controlled servers.[21]
S0491 StrongPity

StrongPity can automatically exfiltrate collected documents to the C2 server.[22][23]
S0467 TajMahal

TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2.[24]
S0131 TINYTYPHON

When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.[25]
G0081 Tropic Trooper

Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.[26]

S0136 USBStealer

USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. [27]
G1035 Winter Vivern

Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.[28]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection
DS0022 File File Access

Monitor for abnormal access to files (i.e. .pdf, .docx, .jpg, etc.), especially sensitive documents, through the use of automated processing after being gathered during Collection.
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections associated with processes performing collection activity, especially those involving abnormal/untrusted hosts.

Network Traffic Content

Monitor network traffic content for evidence of data exfiltration, such as gratuitous or anomalous outbound traffic containing collected data. Consider correlation with process monitoring and command lines associated with collection and exfiltration.
Network Traffic Flow

Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpected hardware devices, or other uncommon data flows.
DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

References

  1. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  2. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  3. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  4. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  5. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
  6. Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
  7. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  8. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  9. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  10. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  11. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  12. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  13. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  14. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  1. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
  2. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  3. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  4. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  5. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  6. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  7. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  8. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  9. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  10. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  11. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  12. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  13. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  14. CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.