Data Exfiltration Simulator
The bad guys learned quickly that it is much easier and less risky to steal money from people/companies using the computer than trying to physically break into houses, offices, and banks.
While attackers can break into organizations, move laterally, and be undetected from a couple of days to months, at some point they will likely want to steal the data. In other words, they will collect a massive number of documents, databases, reports, etc, and then will send it to a server that they have control. This process usually is automated so a large number of data can be sent in seconds or in a few minutes. Also before sending the data, an attacker might want to compress and/or encrypt the data.
With that in mind, I decided to build a tool that hopefully will help defenders to understand if they are able to detect this activity in their environment and if so how long they would take to respond to it (i.e locate and kill the malicious process, isolate the affected hosts, determine which files were stolen, etc).
This tool was built to try to simulate two techniques described in the Mitre Att@ck Framework:
- T1119 - Automated Collection
- T1020 - Automated Exfiltration
This is how it works:
1) Download the Data Exfiltration Simulator in the host where you will run this simulation. You can download it at https://github.com/bcaseiro/DataExfiltrationSimulator
Note: Make sure that in this host you have a couple of .xls, .doc, pdf, etc files that will be "exfiltrated" to a remote FTP server.
2) Set up an FTP server in your network and then make sure you can connect to this FTP server with a valid username/password. Also, make sure you can upload files to this FTP server.
3) Run the file DataExfiltrationSimulator.exe, it will ask for the IP address of your FTP server, username, and password, and then will do the rest.
Note: It will show in the screen every single file (.pdf, .doc, .docx, pptx, .rtf, etc) that was found and then will show you if it was able to upload it or not. It will also generate a log file called ftpstats.log where you can see what happened the last time you ran this tool.
If your antivirus detects this DataExfiltrationSimulator as malware and then you think you are safe, please, think one more time about it. There were no efforts to try to make this tool to go undetected by AV/NGAVs. The idea is to detect if this behavior is happening or has happened in your environment, so you can measure how quickly you are able to detect and respond to this kind of attack, independently of the binary that is causing this behavior.
Below is a video demonstrating this tool: