Detections
- Home
- - Detections
- -DT029
- ID: DT029
- Created: 31st May 2024
- Updated: 17th September 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
File EXIF Data
EXIF stands for Exchangeable Image File Format and is a standard that governs the formats for images, sound, and ancillary tags used by digital cameras, including those in smartphones and other systems. The essential feature of EXIF is that it embeds the metadata into the image files. It can provide detailed information about an image, including the date and time, camera settings, camera specifications, thumbnails, geographical location information, and orientation.
Sections
ID | Name | Description |
---|---|---|
IF003 | Exfiltration via Media Capture | A subject uses an external device, such as a mobile phone or camera, to record audio, photos, or video to capture media. |
IF003.001 | Exfiltration via Photography | A subject uses a device, such as a mobile phone or camera, to take photos containing sensitive information. |
IF003.002 | Exfiltration via Video Capture | A subject uses an external device, such as a mobile phone or camera, to take video recordings containing sensitive information. |
IF003.003 | Exfiltration via Audio Capture | A subject uses an external device, such as a mobile phone or camera, to take record audio containing sensitive information, such as conversations. |
AF018.003 | Canary Tokens | A subject uses files with canary tokens as a tripwire mechanism to detect the presence of security personnel or investigation activities within a compromised environment. This method involves strategically placing files embedded with special identifiers (canary tokens) that trigger alerts when accessed. For example:
The subject creates files containing canary tokens—unique identifiers that generate an alert when they are accessed, opened, or modified. These files can appear as regular documents, logs, configurations, or other items that might attract the attention of an investigator during a security response.
The subject strategically places these files in various locations within the environment:
Once in place, the canary token within each file serves as a silent tripwire. The token monitors for access and automatically triggers an alert if an action is detected:
Upon receiving an alert from a triggered canary token, the subject can take immediate steps to evade detection:
By using files with canary tokens as tripwires, a subject can gain early warning of investigative actions and respond quickly to avoid exposure. This tactic allows them to outmaneuver standard security investigations by leveraging silent alerts that inform them of potential security team activity. |