Detections

EXIF stands for Exchangeable Image File Format and is a standard that governs the formats for images, sound, and ancillary tags used by digital cameras, including those in smartphones and other systems. The essential feature of EXIF is that it embeds the metadata into the image files. It can provide detailed information about an image, including the date and time, camera settings, camera specifications, thumbnails, geographical location information, and orientation.

Sections

Name

Description

IF003

Exfiltration via Media Capture

A subject uses an external device, such as a mobile phone or camera, to record audio, photos, or video to capture media.

IF003.001

Exfiltration via Photography

A subject uses a device, such as a mobile phone or camera, to take photos containing sensitive information.

IF003.002

Exfiltration via Video Capture

A subject uses an external device, such as a mobile phone or camera, to take video recordings containing sensitive information.

IF003.003

Exfiltration via Audio Capture

A subject uses an external device, such as a mobile phone or camera, to take record audio containing sensitive information, such as conversations.

AF018.003

Canary Tokens

A subject uses files with canary tokens as a tripwire mechanism to detect the presence of security personnel or investigation activities within a compromised environment. This method involves strategically placing files embedded with special identifiers (canary tokens) that trigger alerts when accessed. For example:

The subject creates files containing canary tokens—unique identifiers that generate an alert when they are accessed, opened, or modified. These files can appear as regular documents, logs, configurations, or other items that might attract the attention of an investigator during a security response.

The subject strategically places these files in various locations within the environment:

Endpoints: Files with canary tokens are stored in directories where digital forensics or malware analysis is likely to occur, such as system logs, user data directories, or registry entries.
Cloud Storage: The files are uploaded to cloud storage buckets, virtual machines, or application databases where security teams might search for indicators of compromise.
Network Shares: Shared drives and network locations where forensic investigators or security tools may perform scans.

Once in place, the canary token within each file serves as a silent tripwire. The token monitors for access and automatically triggers an alert if an action is detected:

Access Detection: If a security tool, administrator, or investigator attempts to open, modify, or copy the file, the embedded canary token sends an alert to an external server controlled by the subject.
Network Traffic: The token can initiate an outbound network request (e.g., HTTP, DNS) to a specified location, notifying the subject of the exact time and environment where the access occurred.
Behavior Analysis: The subject might include multiple canary files, each with unique tokens, to identify the pattern of investigation, such as the sequence of directories accessed or specific file types of interest to the security team.

Upon receiving an alert from a triggered canary token, the subject can take immediate steps to evade detection:

Alert the Subject: The canary token sends a covert signal to the subject's designated server or communication channel, notifying them of the potential investigation.
Halt Malicious Activity: The subject can use this warning to suspend ongoing malicious actions, such as data exfiltration or command-and-control communications, to avoid further detection.
Clean Up Evidence: Scripts can be triggered to delete or alter logs, remove incriminating files, or revert system configurations to their original state, complicating any forensic investigation.
Feign Normalcy: The subject can restore or disguise compromised systems to appear as though nothing suspicious has occurred, minimizing signs of tampering.

By using files with canary tokens as tripwires, a subject can gain early warning of investigative actions and respond quickly to avoid exposure. This tactic allows them to outmaneuver standard security investigations by leveraging silent alerts that inform them of potential security team activity.

AF008.001

Image Steganography

A subject embeds data within image files to hide sensitive content and exfiltrate it, in a way that conceals both the data and the act of exfiltration. Unlike encryption alone, this attempts to hide the existence of the data.

Method	Description	Notes
Least Significant Bit (LSB)	Modifies the least significant bits of pixel values (typically in RGB channels) to store hidden data, with minimal visible change.	High capacity, simple to implement, but fragile. Lossy compression may destroy the data. Detectable via histogram or entropy analysis.
Masking / Filtering	Alters luminance or contrast, embedding data in textured or edge-heavy regions.	Used with lossless formats (e.g., PNG, BMP). More robust than LSB, but limited capacity.
Transform-Domain Methods	Applies frequency transformations (DCT, DWT, FFT) and embeds data into coefficients.	More resilient to compression and image editing. Lower capacity, higher complexity.
Palette / Color-Table Encoding	Modifies color palettes or transparency values in indexed-color images.	Difficult to detect visually, but format-limited. May expose anomalies in color table comparisons.
EOF Padding (Appended Data)	Appends hidden content after the image’s End of File (EOF) marker.	Simple and often overlooked. No image modification required, making visual detection difficult. Easily done with basic scripts, file joiners or hex editor. Can be exposed if file size is unexpectedly large or during forensic carving.
Edge/Noise-Based Embedding	Selectively hides data in edges, noise, or using adaptive spreading.	Hardest to detect, especially when combined with ML techniques. Capacity is lower, implementation complex.

Trade-offs

LSB and EOF: High capacity, low complexity, fragile to inspection
Transform and Edge-based: Higher stealth, lower capacity, more resilient
Appended EOF: Minimal technical skill required, common in low-effort exfiltration attempts