数据分段是攻击者在数据外泄前对窃取信息进行集中暂存处理的战术环节,通常涉及数据聚合、格式转换和临时存储等操作。传统防御手段通过监控异常文件操作(如大量文件被复制到临时目录)、检测压缩加密工具使用痕迹,以及分析存储路径的合规性来识别数据分段行为。防御方重点关注系统回收站、临时文件夹等敏感目录的文件变化,并利用文件指纹比对技术发现可疑数据聚合。
为应对日益严格的数据防泄露检测,攻击者发展出多维度匿迹技术重构数据分段过程。通过加密分块、存储路径伪装、多云分散存储及元数据混淆等手段,将传统集中式数据暂存行为解构为离散化、去标识化的隐蔽操作,在保持数据可用性的同时大幅降低存储行为的可检测性。
当前数据分段匿迹技术的演进呈现三大特征:存储介质异构化、数据处理原子化和行为特征场景化。加密分块存储通过密码学手段破坏数据语义连续性,使单个数据块失去情报价值;合法目录寄生利用系统白名单机制实现存储行为合法化;分布式云暂存技术将数据物理分布与逻辑重组分离,利用云服务信任链规避检测;元数据混淆存储则通过文件系统层特征伪装实现"隐身存储"。这些技术的共性在于突破传统基于完整文件特征的检测范式,通过存储介质、数据形态、访问行为的全方位伪装,使暂存数据融入正常业务数据的生命周期。
匿迹技术的应用导致传统基于规则匹配的存储行为监控体系逐渐失效,防御方需构建跨云日志关联分析、文件系统元数据完整性校验、存储熵值动态基线监测等新型检测能力,并加强对加密数据块上下文关联关系的深度分析,方能有效应对隐蔽数据分段威胁。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
通过深度模仿合法文件存储特征实现隐蔽,包括文件命名规则符合系统临时文件模式、存储路径嵌入高频访问目录、文件扩展名伪装成日志或缓存文件等。该手法使数据分段行为在文件系统层面呈现正常业务特征,规避基于存储路径黑名单或文件类型规则的检测。
通过劫持系统文件操作API和内存驻留技术实现透明化存储。数据分段过程不产生额外的进程创建或网络连接,直接利用系统合法进程(如svchost.exe)完成文件读写,使得传统基于进程行为分析的检测手段难以察觉。
采用实时分块加密与混合加密策略,对暂存数据实施内容级混淆。通过AES-256等强加密算法破坏数据明文特征,结合密钥分片存储机制,确保即使部分数据块被截获也无法解密还原,有效对抗数据内容审计。
利用多云存储和分布式架构将数据分段过程解构为长周期、跨地域的离散操作。通过控制单个节点的数据存储频次低于检测阈值,并借助不同云服务商日志系统的隔离性,稀释攻击行为在时空维度的关联特征。
| ID | Name | Description |
|---|---|---|
| G1032 | INC Ransom |
INC Ransom has staged data on compromised hosts prior to exfiltration.[1][2] |
| S1020 | Kevin |
Kevin can create directories to store logs and other collected data.[3] |
| S0641 | Kobalos |
Kobalos can write captured SSH connection credentials to a file under the |
| S1076 | QUIETCANARY |
QUIETCANARY has the ability to stage data prior to exfiltration.[5] |
| G1015 | Scattered Spider |
Scattered Spider stages data in a centralized database prior to exfiltration.[6] |
| S1019 | Shark |
Shark has stored information in folders named |
| G1017 | Volt Typhoon |
Volt Typhoon has staged collected data in password-protected archives.[8] |
| G0102 | Wizard Spider |
Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.[9] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
| DS0022 | File | File Access |
Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. |
| File Creation |
Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. |
||
| DS0024 | Windows Registry | Windows Registry Key Modification |
Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection. |