Exfiltration

Network Based Forensics

  • Firewall & NetFlow logs can be useful to determine the amount of data exfil’d, but will not describe the actual data.

  • Is your firewall application-aware? Do you have URL categories available? E.g., NGFWs

  • Look for traffic spikes and off-hours activity.

  • Is there protocol tunneling (e.g., DNS)?

  • Legal entities usually do not like to hear about traffic amounts (e.g., byte or packet counts) when you cannot denote exactly what was transferred— but it is what it is!

Host Based Forensics

  • Multiple archives being created by the TA can be obvious.

  • MFT/UsnJrnl

    • Use Parent sequence number to find directories related to file of interest.

    • Even if you do not have EDR/Sysmon, MFT/UsnJrnl analysis can prove crucial.

  • Uncommon archive types/names for your environment can be a clue

  • Archival tools being brought in by the TA are a huge sign!

SRUM database

MFT/UsnJrnl

3rd Party Tools

FileZilla log locations:

  • %APPDATA%\FileZilla\filezilla.xml

  • %APPDATA%\FileZilla\recentservers.xml

  • %APPDATA%\FileZilla\trustedcerts.xml

  • %APPDATA%\FileZilla\sitemanager.xml

  • %APPDATA%\FileZilla*.sqlite3

WinSCP

  • Registry data:

    • Username & Remote IP address •

      • HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\CDCache•

    • Log File (may or may not exist)

      • HKCU\Software\Martin Prikryl\WinSCP 2\Configuration\Logging

    • Local Directories

      • HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\LocalTarget

    • Remote Directories

      • HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\RemoteTarget

Rclone

WinZip maintains archive data in the registry at:

  • NTUSER.DAT\Software\Nico Mak Computing\WinZip

7Zip maintains archive artifacts in the registry at:

  • NTUSER.DAT\Software\7-Zip\

  • Archhistory can be used to show latest archives.

  • Version numbers can be used to specifiy which one was used by TA.

Cloud Based

Block anything not approved.

  • MEGA

    • Log files located in:

      • %LOCALAPPDATA%\Mega Limited\MEGAsync\logs\

    • Scheduled task:

      • \MEGA\MEGAsync Update Task

    • MEGAsync config file (encrypted):

      • %LOCALAPPDATA%\Mega Limited\MEGAsync\MEGAsync.cfg

  • SendSpace

  • WeTransfer

  • Google Drive

  • Dropbox

  • Box

  • OneDrive

  • Cloud-based storage/buckets: AWS | GCP | Azure

PreviousNetwork ShareNextRDP Clipboard

Last updated