Exfiltration
Network Based Forensics
Firewall & NetFlow logs can be useful to determine the amount of data exfil’d, but will not describe the actual data.
Is your firewall application-aware? Do you have URL categories available? E.g., NGFWs
Look for traffic spikes and off-hours activity.
Is there protocol tunneling (e.g., DNS)?
Legal entities usually do not like to hear about traffic amounts (e.g., byte or packet counts) when you cannot denote exactly what was transferred— but it is what it is!
Host Based Forensics
Multiple archives being created by the TA can be obvious.
MFT/UsnJrnl
Use Parent sequence number to find directories related to file of interest.
Even if you do not have EDR/Sysmon, MFT/UsnJrnl analysis can prove crucial.
Uncommon archive types/names for your environment can be a clue
Archival tools being brought in by the TA are a huge sign!
SRUM database
MFT/UsnJrnl
3rd Party Tools
FileZilla log locations:
%APPDATA%\FileZilla\filezilla.xml
%APPDATA%\FileZilla\recentservers.xml
%APPDATA%\FileZilla\trustedcerts.xml
%APPDATA%\FileZilla\sitemanager.xml
%APPDATA%\FileZilla*.sqlite3
WinSCP
Registry data:
Username & Remote IP address •
HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\CDCache•
Log File (may or may not exist)
HKCU\Software\Martin Prikryl\WinSCP 2\Configuration\Logging
Local Directories
HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\LocalTarget
Remote Directories
HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\RemoteTarget
Rclone
WinZip maintains archive data in the registry at:
NTUSER.DAT\Software\Nico Mak Computing\WinZip
7Zip maintains archive artifacts in the registry at:
NTUSER.DAT\Software\7-Zip\
Archhistory can be used to show latest archives.
Version numbers can be used to specifiy which one was used by TA.
Cloud Based
Block anything not approved.
MEGA
Log files located in:
%LOCALAPPDATA%\Mega Limited\MEGAsync\logs\
Scheduled task:
\MEGA\MEGAsync Update Task
MEGAsync config file (encrypted):
%LOCALAPPDATA%\Mega Limited\MEGAsync\MEGAsync.cfg
SendSpace
WeTransfer
Google Drive
Dropbox
Box
OneDrive
Cloud-based storage/buckets: AWS | GCP | Azure
Last updated