Legitimate exfiltration tools : summary and detection for incident response and threat hunting

Rédigé par Nathanael Ndong - 27/09/2023 - dans CSIRT - Téléchargement

Legitimate data transfer tools are more and more used by threat actors. During our incident response engagements, we often see the use of several administration tools, including tools for transferring data to SFTP servers or directly to the cloud. These are widely used by attackers as means of exfiltration. The issue of exfiltrated data is one of the most important and hardest topic in the case of ransomware incidents.

As the subject has already been widely covered, the aim of this article is to centralize the traces left by most commonly used tools, and to facilitate their detection.

Introduction

The threat landscape is in constant evolution. Threat actors have moved from a model where they encrypt data to one where they also exfiltrate it to increase ransom payment success. These development include the regular use of legitimate administration tools1 in their campaigns. It's becoming increasingly common on our engagements to find different administration tools installed on the same machine. As a result, attackers no longer need to use their own tools for certain tasks, and can simply reuse those already present on the machine.

As mentioned earlier, the use of  administration tools was covered extensively2. The aim of this article is to identify files that may have been exfiltrated by threat actors using certain synchronization and data transfer tools that may be present on a system. We will explore the most usefull artifacts in order to automate the search for potentially exfiltrated files.

In this article, we're going to focus on five free and easily accessible tools that can be found in many windows platforms : WinSCP, FreeFileSync, GoodSync, Megatools and Rclone. We will test them with default configuration.

Process of collect and analysis of the artefacts

To perform this study, several tools were used to monitor the activity of the system: its file system, registry, process activity, and common Windows artefacts. The default logging policy was applied on the Windows "lab". However, we chose not to enable Sysmon to reflect the reality of what we usually encounter during our engagements.

 

WinSCP

WinSCP is a free SFTP and FTP graphical client for available on Windows platform. The tool has several protocols including, FTPS, SCP WebDAV and transfer to AWS S3. The tool has a portable version and can be used on the command line. For this article we use the version 6.1.1 .

Detection

The following elements can be used to detect the presence, the use and determine the installation time of the tool :

  • The creation date of the default directory installation, C:\Users\<username>\AppData\Local\Programs\WinSCP or C:\Program Files\WinSCP (if installed for all user) ;
  • The creation shortcut with default installation for WinSCP.exe with Microsoft-Windows-Shell-Core EventID 28115 at installation time;
  • The last modification date of the registries key NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1 and the presence of NTUSER\SOFTWARE\Martin Prikryl. If the software is installed for all users we could find the same keys with the same path inside the SOFTWARE hive.

Exfiltrated files

By default, the tool is configured via the registry hive NTUSER. It shows that logging is disabled by default.

Nevertheless, it is possible to find several interesting pieces of information:

  • The location of the local directory involved in data transfer in registry key HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\LocalPanel\ with the value LastPath ;
  • Other local directories potentially involved in data transfer in registry key HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\OtherLocalPanel with the value LastPath ;
  • Remote destination in registry key HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\RemoteTarget.

Apart from the date on which the key was modified, there are no timestamps for the dates of transfer in the registry hive.

We also tested the portable version and discovered that no information is present in the registry hive. However, a temporary folder Temp*_WinSCP--Portable.zip is created in C:\Users\<username>\AppData\Local\Temp containing a WinSCP configuration file. This file contains the same information as that present in the registers when using the classic version.

Logging

The default configuration does not enable logging, and it is unlikely that an attacker would do so. Nevertheless, we've enabled it to give you an idea of the type of items that can be logged. The tool offers two logging formats: XML or Text. We've enabled both.

In this scenario, two files are generated in the user default temporary directory C:\Users\<username>\AppData\Local\Temp with the following nomenclature username@remote_ip.extension. In both files we can find :

  • The start date and time of the data transfer session ;
  • The location and the destination of transferred files;
  • Name and size of transferred files;
  • The end date and time of the data transfer session.

 

  • XML file content
<?xml version="1.0" encoding="UTF-8"?>
<session start="2023-08-14T16:42:38.298Z" name="client_sftp@192.168.122.99" xmlns="http://winscp.net/schema/session/1.0">
    <upload>
        <filename value="C:\Users\User2\Documents\Newtest\anssi-guide-mecanismes_crypto-2.04.pdf"/>
        <destination value="/client_sftp/New2/anssi-guide-mecanismes_crypto-2.04.pdf"/>
        <size value="601028"/>
        <result success="true"/>
    </upload>
    <touch>
        <filename value="/client_sftp/New2/anssi-guide-mecanismes_crypto-2.04.pdf"/>
        <modification value="2023-08-14T16:38:53.000Z"/>
        <result success="true"/>
    </touch>
    <upload>
        <filename value="C:\Users\User2\Documents\Newtest\anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf"/>
        <destination value="/client_sftp/New2/anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf"/>
        <size value="491064"/>
        <result success="true"/>
    </upload>
    <touch>
        <filename value="/client_sftp/New2/anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf"/>
        <modification value="2023-08-14T16:38:33.000Z"/>
        <result success="true"/>
    </touch>
...
</session>
  • Text file content
. 2023-08-14 18:42:41.423 Cached directory change via ".." to "/client_sftp".
. 2023-08-14 18:42:41.423 Getting current directory name.
. 2023-08-14 18:42:41.439 Directory content loaded from cache.
. 2023-08-14 18:42:55.700 Copying 4 files/directories to remote directory "/client_sftp/New2/" - total size: 1.981.467
...
. 2023-08-14 18:42:55.700 File: 'C:\Users\User2\Documents\Newtest\anssi-guide-mecanismes_crypto-2.04.pdf' [2023-08-14T16:38:53.298Z] [601028]
. 2023-08-14 18:42:55.700 Copying "C:\Users\User2\Documents\Newtest\anssi-guide-mecanismes_crypto-2.04.pdf" to remote directory started.
. 2023-08-14 18:42:55.700 Binary transfer mode selected.
. 2023-08-14 18:42:55.700 Checking existence of file.
....
. 2023-08-14 18:42:55.716 Transfer done: 'C:\Users\User2\Documents\Newtest\anssi-guide-mecanismes_crypto-2.04.pdf' => '/client_sftp/New2/anssi-guide-mecanismes_crypto-2.04.pdf' [601028]
. 2023-08-14 18:42:55.716 File: 'C:\Users\User2\Documents\Newtest\anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf' [2023-08-14T16:38:33.513Z] [491064]
. 2023-08-14 18:42:55.716 Copying "C:\Users\User2\Documents\Newtest\anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf" to remote directory started.
. 2023-08-14 18:42:55.716 Binary transfer mode selected.
. 2023-08-14 18:42:55.716 Checking existence of file.
...
. 2023-08-14 18:43:37.077 Closing connection.
. 2023-08-14 18:43:37.077 Sending special code: 1
. 2023-08-14 18:43:37.077 Session sent command exit status 0
. 2023-08-14 18:43:37.077 Main session channel closed
. 2023-08-14 18:43:37.077 All channels closed

Others artifacts of interests

The registry hive of user who launched contains several interesting information:

  • The fingerprint of ssh keys used in the key HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\LastFingerprints with one entry per host ;
  • The username and the remote adresse in HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\CDCache ;

A great article from Zur Ulianitzky and David Azria details some possibilities for extracting session secrets from various tools, including WinSCP.

Megatools

Megatools is a collection of free and open source programs for accessing Mega service from a command line. The tool is available on Windows and Linux. For the purpose of this article we use the version 1.11.1

Detection

The following elements can be used to detect the presence and the period of use of the tool :

  • The AppCompat key of the NTUSER hive, \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant, of the user who launched the tool contains the location of the tool ;
  • The key SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count\ of the user hive who launched the tool. It possible to retrieve the location and the period of execution :
Batch Key Path	Batch Value Name	Program Name	Run Counter	Focus Count	Focus Time	Last Executed
ROOT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count	P:\Hfref\Hfre2\Qbphzragf\zrtngbbyf-1.11.1.20230212-jva64\zrtngbbyf.rkr	C:\Users\User2\Documents\megatools-1.11.1.20230212-win64\megatools.exe	1	0	0d, 0h, 00m, 00s	2023-08-23 15:04:07.5370000
  • The presence and the last modification of a cache file <random_value>.megatools.cache in the temporary user folder C:\Users\<username>\AppData\Local\Temp\ might be an indicator of last execution;

Search of exfiltrated files

Megatools is command line utility with 2 mains option to transfer data:

  • Transfert of one file : megatools put myfile ;
  • Transfert of directory : megatools copy -l local_folder -r remote destination.

With these two command you have 3 options to authenticate to mega services:

  • Giving config file (in the same folder of the tool) ;
  • Giving your username, in general email with the option -u login, with an interactive session for password ;
  • Giving username and password in command line ;

In all case as a command line tool there isn't default logging of those command. The tool does not generate other artifact of interests that can be used to identify the exfiltrated files.

Rclone

Rclone is a command-line program to manage files on cloud storage. It is a feature-rich alternative to cloud vendors' web storage interfaces. Over 70 cloud storage products support rclone including S3 object stores, business & consumer file storage services, as well as standard transfer protocols. For the purpose of this article we use the  version v1.63.1.

Detection

The following elements can be used to detect the presence and the period of use of the tool :

  • The AppCompat key of the NTUSER hive, \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant, of the user who launched the tool contains the location of the tool ;
  • The key SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count\ of the user hive who launched the tool. It possible to retrieve the location and the period of execution :

Search of exfiltrated files

The tool lets you configure access to suppliers for data transfer in two different ways :

  • Config file : rclone.exe --config config_file source:remote_destination ;
  • Interactive mode : rclone.exe -l source provider:remote_destination.

In the second case, the provider was configured in interactive mode. This results in the creation of a configuration file rclone.conf in C:\Users\<username>\AppData\Roaming\rclone\ with the following structure :

[Connexion name]
type = provider
access_token = <token>

Rather than saving login and password, the utility sets up a connexion name, the provider and an associated access token. Others values can be available depending on the provider. But there is no additional information stored on the drive. We also test the GUI version (web application) and there isn't more interesting information.

  • Configuration examples
[Rclone_google]
type = drive
scope = drive
token = {"access_token":"ya29.a0AfB_byCvq4Pl54ELskIqN3ga5LSZ0jKMTrrms2y5Ov8Is4svdWt******","token_type":"Bearer","refresh_token":"1//**************L9IrhEjH14x6lH3P_dR9mHEyfDSPIotXQbM848aq2bsy4xxWKvRaM08o6sicot1AZ5VrrtQ","expiry":"2023-01-10T21:11:36.113261+02:00"}
team_drive = 

[Rclone_uptobox]
type = uptobox
access_token = 8dcc17b6fb8a************

 

Apart from this information, there are no other artifacts that can be used to identify the exfiltrated files because the command line is not logged.

GoodSync

GoodSync is a free, for personal use, file synchronization and backup software. The tool is available on Windows, MacOs, Linux, Android and iOS. It's mainly a desktop application but a command line version is available. The tool supports several types of transfer : SFTP, Cloud (Google Drive, OneDrive, AWS..).

Detection

The following elements can be used to detect the presence, the use and determine the installation time of the tool :

  • The creation date of the default directory installation C:\Program Files\Siber Systems\GoodSync ;
  • The last modification date of the registry key SOFTWARE: Microsoft\Windows\CurrentVersion\Uninstall\{} that contains GoodSync. In our case {B26B00DA-2E5D-4CF2-83C5-911198C0F009} ;
  • The registry key SOFTWARE\Siber Systems\GoodSync\Profiles to determine the location of the GoodSync logs and the user who used the tool with a value similar to C:/Users/<username>/AppData/Local/GoodSync;
  • Two log files, InstallElev-YYYYMMDD-HHmm.log and InstallLicense-YYYYMMDD-HHmm.log in the folder C:\Users\<username>\AppData\Local\GoodSync\ generated at installation time YYYYMMDD-HHmm ;
  • The creation of a service GoodSync Server with a System EventID 7045 and the last modification date of the registry key SYSTEM\CurrentControlSet\Services\GsServer ;

 

Exfiltrated files

For each use (or session), GoodSync generates a log file GoodSync-YYYYMMDD-HHmm.log, whose filename matches the date and the time of the session's start in the user folder C:\Users\<username>\AppData\Local\GoodSync\. These files contain a number of interesting items of information:

  • For command line version, the parameters use to launch the tool
2023-08-23 16:37:26 #2 ----- GoodSync ver 12.3.4.4 on Windows 10; 10.0.10586-2 64-bit-OS t=1 cd= started -----
2023-08-23 16:37:26 #2 Command Line: 
2023-08-23 16:37:26 #2 Main command:
  • Basic information on the user and the system
2023-08-23 16:37:26 #2 g_bElevated=0 g_bIsUserInAdminGroup=1 OsCompName=DESKTOP-0D3LUFB SysUser=User2 DomainUser=DESKTOP-0D3LUFB\User2
2023-08-23 16:37:26 #2 SibGetOsComputerIds: OsCompSerialA=S-1-5-21-3357941585-1708574553-3041823371
2023-08-23 16:37:26 #2 SibGetOsComputerIds: OsDiskSerial=QM00001 MainDiskDir=C:/Program Files/Siber Systems/GoodSync
2023-08-23 16:37:26 #2 SibGetNetCardMacAddr: consider type=1 ip_addr=192.168.122.184 gate=192.168.122.1 macaddr=525400b7cbbe descr=Intel(R) 82574L Gigabit Network Connection
2023-08-23 16:37:26 #2 SibGetNetCardMacAddr: return ip_addr=192.168.122.184 macaddr=525400b7cbbe
  • Goodsync account information (the use of the application requires an account)

2023-08-23 16:37:26 #2 GsLoadBookmark: sBmkFilePath=C:/Users/User2/AppData/Local/GoodSync/GsAcct.tic conn=url=gstps://*********-outlook-com.goodsync userid=*********-outlook-com pass=... appkey= email=*********@outlook.com name=********* affid=
2023-08-23 16:37:26 #2 === GsGetCheckGsAccount: g_sGsUserIdA=*********-outlook-com g_sComputerIdA=desktop-0d3lufb
2023-08-23 16:37:26 #2 GsLoadBookmark: sBmkFilePath=C:/Users/User2/AppData/Local/GoodSync/LocalAcct.tic conn=url=gstps://-local-desktop-0d3lufb-user2.goodsync userid=-local-desktop-0d3lufb-user2 pass=... appkey= email= name= affid=
2023-08-23 16:37:29 #2 CheckLicenseViaGsAccount: Ret OK: UserId=*********-outlook-com m_bLicActive=0 trial-expires=2023-09-23 16:01:16 LicRowId=- m_tLicExpires=(null-time) m_tAccountCreated=2023-08-23 16:01:16 ServerMsg=

The rest of the information in the file will depend on where the files are copied to.

 

Good Sync Provider
GoodSync interface and providers

In fact, the tool allows you to use different protocols or cloud services. For the purposes of this article, we have chosen SFTP and Google Drive.

For each type of destination, there will be an authentication step and a location connection step, which will vary according to the option selected.

Then, for each file transferred, we will be able to identify : copied date and time, the protocol/cloud provider used, the location and the name of the source file, the destination of file and file size.

  • Google Drive example
2023-08-23 16:39:58 #23 [Gdrive] Copy New 'C:/Users/User2/Documents/Doc_gdrive/NIST.CSWP.04282021.pdf.pdf' -> 'gdrive://www.googleapis.com/GS_Sync/NIST.CSWP.04282021.pdf.pdf' (411,227)
2023-08-23 16:39:58 #22 [Gdrive] Copy New 'C:/Users/User2/Documents/Doc_gdrive/apon_cryptanalysis_of_ledacrypt_final-preprint.pdf.pdf' -> 'gdrive://www.googleapis.com/GS_Sync/apon_cryptanalysis_of_ledacrypt_final-preprint.pdf.pdf' (492,371)
2023-08-23 16:39:59 #24 [Gdrive] Copy New 'C:/Users/User2/Documents/Doc_gdrive/SMITH-TONE_ExtractingLinearEquations_ePRINT.pdf.pdf' -> 'gdrive://www.googleapis.com/GS_Sync/SMITH-TONE_ExtractingLinearEquations_ePRINT.pdf.pdf' (886,796)
  • SFTP example
2023-08-23 16:06:15 #19 [SFTP] > Copy New 'C:/Users/User2/Documents/Doc/NIST.AMS.500-1.pdf.pdf' -> 'sftp://192.168.122.99/client_sftp/GoodSync/NIST.AMS.500-1.pdf.pdf' (1,780,403)
2023-08-23 16:06:15 #19 [SFTP] > Copy New 'C:/Users/User2/Documents/Doc/NIST.CSWP.04162018.pdf' -> 'sftp://192.168.122.99/client_sftp/GoodSync/NIST.CSWP.04162018.pdf' (1,062,822)
2023-08-23 16:06:15 #19 [SFTP] > Copy New 'C:/Users/User2/Documents/Doc/NIST.CSWP.6.gre.pdf.pdf' -> 'sftp://192.168.122.99/client_sftp/GoodSync/NIST.CSWP.6.gre.pdf.pdf' (1,637,459)

We create a Velociraptor query Windows.Forensics.GoodSync to automate the search of exfiltrated files in our incident response and threat hunting engagements. A submission request have been made to share it on Velociraptor Artifact Exchange. So it should be available very soon.

Others artifacts of interests

The GoodSync-YYYYMMDD-HHmm.log files : several types of actions (creating folders, deleting files, etc.) can be performed on the remote location before the data are transferred.

Tic files : several files in tic format can be found in the C:\Users\<username>\AppData\Local\GoodSync\ folder. Among them :

  • server-accounts.tic : contains account associated with the remote destination (mail addresses for cloud provider and login account for SFTP) ;
  • jobs-groups-options-YYYY-MMDD-HHmmSS.tic : contains information similar to server-accounts but per session ;
  • GsAcct.tic : saved GoodSync account with hashed password.

In the case of Google Drive we could notice a cache folder GoogleDriveCache and a tic file google-fs-cache.tic which contains hashed version of google account password.

FreeFileSync

FreeFileSync is a free and open source data synchronization tools available on Windows, Linux and MacOs. The tool is highly flexible with a desktop application, a command line version and a portable version. Synchronization is possible with Google Drive or SFTP. For this article, we test the desktop version 12.5 with default configuration on Windows.

Detection

The following elements can be used to detect the presence, the use and determine the installation time of the tool :

  • The creation date of the default directory installation C:\Program Files\FreeFileSync ;
  • The last modification date of the registries key SOFTWARE\WOW6432Node\FreeFileSync and SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FreeFileSync_is1 ;
  • The creation of two shortcuts with default installation for FreeFileSync.exe and RealTimeSync.exe with Microsoft-Windows-Shell-Core EventID 28115 at installation time ;
  • When application is run, it possible to observe Powershell EventID 600 with the parameter use to launch the application HostApplication=powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'.

 

Exfiltrated files

For each use (or session), FreeFileSync generates html report [Last session] YYYY-MM-DD HHmmSS.*.html, which filename matches the date and the time of the session's start in the user folder C:\Users\\AppData\Roaming\FreeFileSync\Logs\. These files contain a number of interesting items of information:

  • Date and time of synchronization operations
  • Date and time of copied files ;
  • Remote destination and associated account ;
  • Time processing and data size.

 

  • Goole Drive Example
<td>Items processed:</td>
<td><span>6</span> (9,64 MB)</td>
<td>Total time:</td>
<td><span>00:00:13</span></td>

<td>17:06:45</td>
<td>Synchronizing folder pair: Update <br>
C:\Users\User2\Documents\ANSSI<br>
gdrive:\*****@gmail.com\Nouvelle collection</td>

<td valign="top">17:07:29</td>
<td>Creating file gdrive:\*****@gmail.com\Nouvelle collection\anssi-guide-organiser-un-exercice-de-gestion-de-crise-cyber-v1.0.pdf</td>
  • SFTP Example
<td>Items processed:</td>
<td><span>2</span> (4,06 MB)</td>
<td>Total time:</td>
<td><span>00:00:00</span></td>

<td>16:46:57</td>
<td>Synchronizing folder pair: Update &gt;<br>
C:\Users\User2\Documents\ENISA<br>
sftp://client_sftp@192.168.122.99/client_sftp/freefilesync</td>
....
<td>16:47:02</td>
<td>Creating file sftp://client_sftp@192.168.122.99/client_sftp/freefilesync/Health Threat Landscape.pdf</td>

We create a Velociraptor query Windows.Forensics.FreeFileSync to automate the search of exfiltrated files in our incident response and threat hunting engagements. A submission request have been made to share it on Velociraptor Artifact Exchange. So it should be available very soon.

Others artifacts of interests

The folder C:\Users\<username>\AppData\Roaming\FreeFileSync\Logs\ contains also error report YYYY-MM-DD HHmmSS.* [Error].html when some operations fail to transfer data, with associated files, timestamps and remote destination :

<tr>
    <td>16:45:50</td>
    <td>Creating file &quot;sftp://client_sftp@192.168.122.99/client_sftp/freefilesync/Health Threat Landscape.pdf&quot;</td>
</tr>
<tr>
     <td>16:45:50</td>
    <td>Cannot write file sftp://client_sftp@192.168.122.99/client_sftp/freefilesync/Health Threat Landscape-401f.ffs_tmp.<br>
    SSH_FX_PERMISSION_DENIED: Failed opening remote file [libssh2_sftp_open]</td>
</tr>

 

The folder C:\Users\<username>\AppData\Roaming\FreeFileSync\ contains three valuables xml files :

  • GlobalSettings.xml: it contains FreeFileSync configuration including log location, retention and format (html default or plaintext) and history of last synchronization (source folder, remote location and associated account) ;
  • LastRun.ffs_gui: it contains source and remote location of last execution with desktop application ;
  • LastRun.ffs_real: it contains history of daily execution if setting up.

 

Summary

 

When an attacker uses a legitimate data transfer tool, whether it is already present on the system or has been downloaded, it is often possible to identify its presence and use :

  • with the tool installation path and uninstall registry key ;
  • with registry keys, either specific to the tool or with UserAssist and AppCompatCache for command-line tools.

In the first case, the logs generated can often be used to identify the files exfiltrated, along with the exfiltration dates. However, as the configuration of these tools is very flexible, it is possible to disable logging. In this case, it will be impossible to identify exfiltrated files.

In the second case, unless you log command-line executions and the creation of new processes, there are no artifacts to identify potentially exfiltrated files. We strongly recommend that you investigate the possibility of implementing this logging policy (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing).

This article was an opportunity for us to create a few VQLs to automate some of our research during our investigation and threat hunting missions with Velociraptor.  You might find them on the Velociraptor Artifact Exchange :

  • WIndows.Application.GoodSync with the GoodSync account used and transfered files ;
  • Windows.Application.FreeFileSync with account used, latest transfered files from html logs and the list of others logs ;