Approved

MITRE ATT&CK EXFILTRATION Tactic IOC Detection

Here is a query that looks at process and cmdlines to map to IOCs in the Exfiltration tactic for Mitre

-- VARIABLE $$Start Search on  Date and Time$$   DATE
-- VARIABLE $$Total Hours to search$$            STRING

-- Process cmdline IOC search, mapped to MITRE ATT&CK

WITH Mitre_map (ID, Tactic, Technique, SubTechnique, Description, Method, Condition, SubCondition, Refrence) AS ( VALUES
-- ID    Tactic  Technique  SubTechnique  Description  Condition  SubCondition  Refrence 
-- Automated Exfiltration- Traffic Duplication
('T1020.001','Exfiltration','Automated Exfiltration','Traffic Duplication','https://attack.mitre.org/techniques/T1020/001','Process_Cmd','powershell.exe','%Set-VMNetworkAdapter%PortMirroring%',''),
('T1020.001','Exfiltration','Automated Exfiltration','Traffic Duplication','https://attack.mitre.org/techniques/T1020/001','Process_Cmd','powershell.exe','%Add-NetEventPacketCaptureProvider%',''),

-- Data Exfiltration- Data Transfer Size Limits
('T1030','Exfiltration','Data Transfer Size Limits','','https://attack.mitre.org/techniques/T1030','Process_Cmd','powershell.exe','%GetRequestStream%Write%length%',''),
('T1030','Exfiltration','Data Transfer Size Limits','','https://attack.mitre.org/techniques/T1030','Process_Cmd','powershell.exe','%upload%chunksize%',''),

-- Exfiltration Over Alternative Protocol- Exfiltration Over Symetric Encrypted Non-C2 Protocol
('T1048.001','Exfiltration','Exfiltration Over Alternative Protocol','Exfiltration Over Symmetric Encrypted Non-C2 Protocol','https://attack.mitre.org/techniques/T1048/001','NONE','','',''),

-- Exfiltration Over Alternative Protocol- Exfiltration Over Asymetric Encrypted Non-C2 Protocol
('T1048.002','Exfiltration','Exfiltration Over Alternative Protocol','Exfiltration Over Asymmetric Encrypted Non-C2 Protocol','https://attack.mitre.org/techniques/T1048/002','NONE','','',''),

-- Exfiltration Over Alternative Protocol- Exfiltration Over Unencrypted/Obsfucated Non-C2 Protocol
('T1048.003','Exfiltration','Exfiltration Over Alternative Protocol','Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol','https://attack.mitre.org/techniques/T1048/003','Process_Cmd','telnet.exe','%localhost 80%','https://www.codingame.com/playgrounds/13710/conversation-over-http'),
('T1048.003','Exfiltration','Exfiltration Over Alternative Protocol','Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol','https://attack.mitre.org/techniques/T1048/003','Process_Cmd','telnet.exe','% 80%','https://www.codingame.com/playgrounds/13710/conversation-over-http'),
('T1048.003','Exfiltration','Exfiltration Over Alternative Protocol','Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol','https://attack.mitre.org/techniques/T1048/003','Process_Cmd','telnet.exe','% 25%','https://www.pentestpartners.com/security-blog/data-exfiltration-techniques/'),

-- Exfiltration Over Alternative Protocol- Exfiltration Over C2 Channel
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','DISM.exe','%telnetclient%','Installing telnetclient'),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','DISM.exe','%telnetserver%','Installing telnetserver'),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','pkmgr.exe','%telnetclient%','Installing telnetclient'),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','pkmgr.exe','%telnetserver%','Installing telnetserver'),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','scp.exe','%host%',''),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','pscp.exe','%host%',''),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','ftp.exe','%.%.%.%',''),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','powershell.exe','%Copy-Item%path%destination%',''),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','powershell.exe','%Copy-Item%tosession%',''),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','powershell.exe','%Start-BitsTransfer%source%destination%',''),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','powershell.exe','%Start-BitsTransfer%source%destination%',''),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','powershell.exe','%write-host%',''),
('T1041','Exfiltration','Exfiltration Over C2 Channel','','https://attack.mitre.org/techniques/T1041','Process_Cmd','curl.exe','%-T%','Curl upload'),


-- Exfiltration Over Other Network Medium- Exfiltration Over bluetooth
('T1011.001','Exfiltration','Exfiltration Over Other Network Medium','Exfiltration Over Bluetooth','https://attack.mitre.org/techniques/T1011/001','Process_Cmd','btobex.exe','%','https://superuser.com/questions/1211965/send-a-file-via-bluetooth-from-the-command-prompt'),
('T1011.001','Exfiltration','Exfiltration Over Other Network Medium','Exfiltration Over Bluetooth','https://attack.mitre.org/techniques/T1011/001','Process_Cmd','fsquirt.exe','%','https://docs.microsoft.com/en-us/windows-hardware/drivers/bluetooth/bluetooth-user-interface'),

-- Exfiltration Over Physical Medium- Exfiltration over USB
('T1052.001','Exfiltration','Exfiltration Over Physical Medium','Exfiltration over USB','https://attack.mitre.org/techniques/T1052/001','Process_Cmd','powershell.exe','%Get-DeviceInfo%','https://superuser.com/questions/369959/how-do-i-access-mtp-devices-on-the-command-line-in-windows'),
('T1052.001','Exfiltration','Exfiltration Over Physical Medium','Exfiltration over USB','https://attack.mitre.org/techniques/T1052/001','Process_Cmd','powershell.exe','%Get-PNPDevice%','https://docs.microsoft.com/en-us/powershell/module/pnpdevice/get-pnpdevice?view=win10-ps'),
('T1052.001','Exfiltration','Exfiltration Over Physical Medium','Exfiltration over USB','https://attack.mitre.org/techniques/T1052/001','Process_Cmd','powershell.exe','%Get-PNPDevice%usb%','https://docs.microsoft.com/en-us/powershell/module/pnpdevice/get-pnpdevice?view=win10-ps'),
('T1052.001','Exfiltration','Exfiltration Over Physical Medium','Exfiltration over USB','https://attack.mitre.org/techniques/T1052/001','Process_Cmd','powershell.exe','%GWmi Win32_LogicalDisk%USB%','https://social.technet.microsoft.com/Forums/scriptcenter/en-US/ad6182d8-f52b-4985-96bc-02601484bebb/powershell-script-to-move-files-from-removable-drive-and-eject?forum=ITCG'),
('T1052.001','Exfiltration','Exfiltration Over Physical Medium','Exfiltration over USB','https://attack.mitre.org/techniques/T1052/001','Process_Cmd','powershell.exe','%GWmi Win32_LogicalDisk%camera%','https://social.technet.microsoft.com/Forums/scriptcenter/en-US/ad6182d8-f52b-4985-96bc-02601484bebb/powershell-script-to-move-files-from-removable-drive-and-eject?forum=ITCG'),
('T1052.001','Exfiltration','Exfiltration Over Physical Medium','Exfiltration over USB','https://attack.mitre.org/techniques/T1052/001','Process_Cmd','powershell.exe','%GWmi Win32_LogicalDisk%phone%','https://social.technet.microsoft.com/Forums/scriptcenter/en-US/ad6182d8-f52b-4985-96bc-02601484bebb/powershell-script-to-move-files-from-removable-drive-and-eject?forum=ITCG'),
('T1052.001','Exfiltration','Exfiltration Over Physical Medium','Exfiltration over USB','https://attack.mitre.org/techniques/T1052/001','Process_Cmd','powershell.exe','%GWmi Win32_LogicalDisk%ssd%','https://social.technet.microsoft.com/Forums/scriptcenter/en-US/ad6182d8-f52b-4985-96bc-02601484bebb/powershell-script-to-move-files-from-removable-drive-and-eject?forum=ITCG'),
('T1052.001','Exfiltration','Exfiltration Over Physical Medium','Exfiltration over USB','https://attack.mitre.org/techniques/T1052/001','Process_Cmd','powershell.exe','%GWmi Win32_USBControllerDevice%','https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-usbcontrollerdevice'),
('T1052.001','Exfiltration','Exfiltration Over Physical Medium','Exfiltration over USB','https://attack.mitre.org/techniques/T1052/001','Process_Cmd','powershell.exe','%GWmi Win32_USBController%','https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-usbcontrollerdevice'),

-- Exfiltration Over Web Service- Exfiltration to Code Repository
('T1567.001','Exfiltration','Exfiltration Over Web Service','Exfiltration to Code Repository','https://attack.mitre.org/techniques/T1567/001','Process_Cmd','powershell.exe','%iex%http%chocolatey%','https://chocolatey.org/install'),
('T1567.001','Exfiltration','Exfiltration Over Web Service','Exfiltration to Code Repository','https://attack.mitre.org/techniques/T1567/001','Process_Cmd','cmd.exe','%iex%http%chocolatey%','https://chocolatey.org/install'),
('T1567.001','Exfiltration','Exfiltration Over Web Service','Exfiltration to Code Repository','https://attack.mitre.org/techniques/T1567/001','Process_Cmd','powershell.exe','%install%git%','https://chocolatey.org/packages/git'),
('T1567.001','Exfiltration','Exfiltration Over Web Service','Exfiltration to Code Repository','https://attack.mitre.org/techniques/T1567/001','Process_Cmd','git.exe','%iex%http%chocolatey%','https://chocolatey.org/install'),
('T1567.001','Exfiltration','Exfiltration Over Web Service','Exfiltration to Code Repository','https://attack.mitre.org/techniques/T1567/001','Process_Cmd','git.exe','%push%','https://docs.github.com/en/free-pro-team@latest/github/importing-your-projects-to-github/adding-an-existing-project-to-github-using-the-command-line'),
('T1567.001','Exfiltration','Exfiltration Over Web Service','Exfiltration to Code Repository','https://attack.mitre.org/techniques/T1567/001','Process_Cmd','git.exe','%add%','https://docs.github.com/en/free-pro-team@latest/github/importing-your-projects-to-github/adding-an-existing-project-to-github-using-the-command-line'),
('T1567.001','Exfiltration','Exfiltration Over Web Service','Exfiltration to Code Repository','https://attack.mitre.org/techniques/T1567/001','Process_Cmd','git.exe','%commit%','https://docs.github.com/en/free-pro-team@latest/github/importing-your-projects-to-github/adding-an-existing-project-to-github-using-the-command-line'),
('T1567.001','Exfiltration','Exfiltration Over Web Service','Exfiltration to Code Repository','https://attack.mitre.org/techniques/T1567/001','Process_Cmd','choco.exe','%git%install%','https://chocolatey.org/packages/git.install'),

-- Exfiltration Over Web Service- Exfiltration to Cloud Storage
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','choco.exe','%gsutil%install%','https://cloud.google.com/storage/docs/gsutil/commands/cp'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','%','%gsutil%cp%','https://cloud.google.com/storage/docs/gsutil/commands/cp'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','%','%dropbox%uploader%','http://raspberrypimaker.com/transferring-to-dropbox-command-line/'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','cmd.exe','%dropbox%copy%','https://codereview.stackexchange.com/questions/111483/copying-files-into-dropbox-folder-from-command-line'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','idevsutil.exe','%upload%','https://www.idrivesync.com/evs/dev-guide-parameters.htm'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','sugersyncinstall.exe','%','https://www.sugarsync.com/'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','sugersync.exe','%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','FreeFileSync.exe','%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','ifolder%.exe','%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','ipfs.exe','%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','rsync.exe','%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','bitsadmin.exe','%upload%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1567.002','Exfiltration','Exfiltration Over Web Service','Exfiltration to Cloud Storage','https://attack.mitre.org/techniques/T1567/002','Process_Cmd','rclone.exe','%copy%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),

-- Scheduled Transfer
('T1029','Exfiltration','Scheduled Transfer','NA','https://attack.mitre.org/techniques/T1029','ProcessCmd','schtasks.exe','%copy%',''),
('T1029','Exfiltration','Scheduled Transfer','NA','https://attack.mitre.org/techniques/T1029','ProcessCmd','schtasks.exe','%upload%',''),

-- Transfer Data to Cloud Account
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','choco.exe','%gsutil%install%','https://cloud.google.com/storage/docs/gsutil/commands/cp'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','%','%gsutil%cp%','https://cloud.google.com/storage/docs/gsutil/commands/cp'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','%','%dropbox%uploader%','http://raspberrypimaker.com/transferring-to-dropbox-command-line/'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','cmd.exe','%dropbox%copy%','https://codereview.stackexchange.com/questions/111483/copying-files-into-dropbox-folder-from-command-line'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','idevsutil.exe','%upload%','https://www.idrivesync.com/evs/dev-guide-parameters.htm'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','sugersyncinstall.exe','%','https://www.sugarsync.com/'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','sugersync.exe','%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','FreeFileSync.exe','%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','ifolder%.exe','%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','ipfs.exe','%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','rsync.exe','%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','bitsadmin.exe','%upload%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software'),
('T1537','Exfiltration','Transfer Data to Cloud Account','','https://attack.mitre.org/techniques/T1537','Process_Cmd','rclone.exe','%copy%','https://en.wikipedia.org/wiki/Comparison_of_file_synchronization_software')
) 
/*****************************************************************\
| Hunt for matching IOCs using the Sophos Journal Tables (Windows) |
\*****************************************************************/
-- LIST ALL RULES SELECT * FROM Mitre_map
-- COUNT ALL RULES SELECT CASE(Method='NONE') WHEN 1 THEN 0 ELSE COUNT(ID) END Count, ID, Tactic, Technique, SubTechnique, Description FROM Mitre_Map GROUP BY ID ORDER BY Technique ASC
-- Search for matching process name and cmdline indicator of compromise

SELECT
   CAST(datetime(spj.time,'unixepoch') AS TEXT) DateTime,
   CAST(map.ID AS TEXT) Mitre_ID, CAST(map.Tactic AS TEXT) Tactic, CAST(map.Technique AS TEXT) Technique, CAST(map.SubTechnique AS TEXT) SubTechnique, CAST(map.Description AS TEXT) Mitre_Description,
   CAST(map.condition || ' + ' || map.subcondition AS TEXT) Hunt_Rule,
   CAST( (SELECT username FROM users WHERE uid = replace(spj.sid, rtrim(spj.sid, replace(spj.sid, '-', '')), '')) AS TEXT) User_Name,
   CAST(spj.processName AS TEXT) processName,
   CAST(spj.cmdline AS TEXT) CmdLine,
   CAST(spj.SophosPID AS TEXT) SophosPID,
   CAST ( (SELECT spj2.processName FROM Sophos_process_journal spj2 WHERE spj2.SophosPID = spj.ParentSophosPID AND spj2.time = replace(spj.ParentSophosPID, rtrim(spj.ParentSophosPID, replace(spj.ParentSophosPID,':','')),'')/10000000-11644473600) AS TEXT) ParentProcessName,
   CAST(spj.pathname AS TEXT) Path,
   CAST(map.Refrence AS TEXT) Refrence
FROM Sophos_process_journal spj 
   JOIN Mitre_map map ON 
      spj.evenTtype = 0 AND 
      spj.processName LIKE map.condition AND 
      spj.cmdline LIKE map.SubCondition
WHERE 
   spj.time > $$Start Search on  Date and Time$$ AND 
   spj.time < $$Start Search on  Date and Time$$ + $$Total Hours to search$$*3600 AND
   map.Method = 'Process_Cmd'

Parents
  • Hey Karl, this is really great!  When I run it on multiple boxes I now get a result that shows CompatTelRunner.exe and points me to https://attack.mitre.org/techniques/T1041 and says Exfiltration Over C2 Channel.  From what I understand this is a legitimate process from Microsoft to collect information about our PCs.   Seems like something we should turn off but none the less it is on by default.  Do you feel we should have an exclusion in the query to ignore these findings?

Comment
  • Hey Karl, this is really great!  When I run it on multiple boxes I now get a result that shows CompatTelRunner.exe and points me to https://attack.mitre.org/techniques/T1041 and says Exfiltration Over C2 Channel.  From what I understand this is a legitimate process from Microsoft to collect information about our PCs.   Seems like something we should turn off but none the less it is on by default.  Do you feel we should have an exclusion in the query to ignore these findings?

Children
No Data