Exfiltration via Messaging Applications

A subject exfiltrates information using a messaging application that is already installed on the system. They will access the conversation at a later date to retrieve information on a different system.

A subject exfiltrates information using a web-based messaging application that is accessed through a web browser. They will access the conversation at a later date to retrieve information on a different system.

A web proxy can allow for specific web resources to be blocked, preventing clients from successfully connecting to them.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

The Debian Package Management (dpkg) utility is responsible for software installation and management. This tool provides one or more log files, located at /var/log/dpkg.log.

This log contains the timestamp, the action conducted, and the package name and version.

To view pakage installs, the following command can be used: grep “ install ” /var/log/dpkg.log*

To view package uninstalls, the following command can be used: grep “ remove ” /var/log/dpkg.log*

Depending on the solution used, web proxies can provide a wealth of information about web-based activity. This can include the IP address of the system making the web request, the URL requested, the response code, and timestamps.

An organization must perform SSL/TLS interception to receive the most complete information about these connections.

Windows Jump Lists are a feature that provides quick access to recently or frequently used files.

LNK files or Shortcut files are stored in the location C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent Items and have the “.lnk” file extension.

These files are automatically created when a user account accesses a file through Windows Explorer.

This artifact can provide information as to when a file was accessed, modified, and created, the file path and name, and the file size. .LNK files persist even if the actual file has been deleted, helping to uncover if a file has been accessed then subsequently deleted or moved as it is no longer present in the recorded full file path.

In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in c:\windows\prefetch, these files are created with the extension .pf and have the following format <EXECUTABLE>-<HASH>.pf.

These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution.

Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists.