Penetration Testing Explained, Part VII: Exfiltration and Conclusions

In this series of posts, I covered ideas to get you started using basic testing software to find security vulnerabilities. There are more advanced tools, such as Metasploit, which lets...
Michael Buckbee
4 min read
Last updated June 9, 2023

In this series of posts, I covered ideas to get you started using basic testing software to find security vulnerabilities. There are more advanced tools, such as Metasploit, which lets you speedily try different hacking scenarios, but many of its principles are based on what I’ve already written about.

In short: you can get a lot of mileage from trying out simple remote access trojans or RATs, reverse shells, password/hash crackers, hash dumping, and pass-the-hash in your own IT environment.

Whatever approach you settle on, keep our Inside Out philosophy in mind. It says that in your testing, you should really focus on what hackers see once they’re on a generic user’s laptop or desktop. Pen testing is a great exercise for spotting local accounts with weak passwords, overly generous networking capabilities, broad access rights on file shares, and other security holes before hackers have a chance to exploit them.

You really won’t know what’s under the rock until you lift it!

Get a Free Data Risk Assessment

Even the Simple Stuff is Getting Deadlier

One of my first posts in this series was on RATS.  They’ve been around forever, and they’re often used by attackers to get an initial foothold on the target system. RATs let cyber thieves perform the virtual equivalent of rifling through the vicitm’s possessions: in this case, scanning directories, running commands remotely, and uploading additional tools. The goal though is to use the RAT to install advanced and stealthier malware that does the real dirty work.

But there’s a new generation of RATware that proves it’s really become its own malware universe.

AlienSpy, which I wrote about recently, is a hard to detect Java-based rodent with built-in capabilities to scrape memory, and enable cameras and microphones to spy on employees. And it can be conveniently purchased on a subscription basis.

Another related RAT, called Zbot or Zeus, is an equally scary critter. It’s been used against banks to steal massive amount of account credentials.

One interesting feature of the Zeus-Zbot family and other newer RATs is that they also remove the data from the victim’s machine.

Exfiltration: Stealthy Stealing

I don’t mean by letting the remote attacker perform a vanilla and easily detected FTP download. Instead, this RAT’s exfiltration scheme is based on sending the stolen data as an HTTP interaction. In cyber technology, this is known as Command and Control (C2), typically used by sophisticated APTs.

The C2 technique, though, has gone down market in the last few years and can be found in many trojans. Effectively, the RAT acts like a browser and contacts the attacker’s website using a known URL or URL pattern that has been hard coded in the RAT.

The stolen data is sneakily hidden in the POST requests. The attackers can also send new commands in their HTTP responses back to the RAT to direct it do other work. SANS, by the way, has a good white paper analyzing these interactions

With a C2 approach, RATs have really upped the game in terms of their capabilities. Sure C2-style exfiltration can in theory be spotted using say Snort and other intrusion detection systems.

But the attackers are always changing the server-side URLs, and there’s often little in the HTTP headers or the data stream to help fingerprint these things.

These C2-style interactions can also be encrypted, making it very, very difficult to figure out what’s going on. SANS has another interesting paper on how to deal with these closed off channels — it ain’t easy though!

What to Do?

It starts looking a little bleak when even beginning hackers can rent very capable RATware in the cloud, run a basic phishing campaign, and then start stealthily pulling data when one of the RAT payloads finds an info-rich and ill-prepared target.

It’s easier than the proverbial exercise of shooting phish, I mean fish, in a barrel.

Yes, it’s a tough world out there.

But if I had to make a tight argument to convince IT and C-levels how to approach the problem, it would go something like this.

The hackers will always get in. The malware they use will continue to get stealthier. So it will always be a hard or even an impossible problem to detect the software and the data being transferred out using conventional methods.

The goal then should not be to focus strictly on higher defensive walls (through virus and port scanners or DLP endpoint protections), but instead to improve the ability to spot unusual activities through selective monitoring.

But how do you monitor an attacker that’s using advanced cloaking technology?

The cyber thieves will have to, at some point, use the file system. There’s no way around this.

They’ll need to navigate folders, search files, upload or create temporary files containing data or code, copy, move, rename or delete folders, and transfer files contain stolen data to exfiltration points.

All this activity can be watched — that is, if you have deep knowledge of OS file events. Then, you can detect the attacker if you do the right analysis.

The key point is that the hackers are using the credentials of an existing user, whose previous file behaviors can be known on a statistical basis. Significant variances from these normal behaviors provide important clues about who is a hacker. And that is how they can be spotted.

Sure, I’m referring to User Behavior Analytics, which ultimately is a way to decide who’s a real user and who’s getting inside the building using fake or borrowed credentials.

Back to pen testing.

Penetration testing plays an important role in risk assessments. You should always be checking your IT system for risks, along with having a sensible data governance process (restrict permissions, remove stale data, identify data owners) in place.

Your goal should be to make it very hard for hackers to easily find valuable information in the file system.

As with a lot of defensive techniques, if you make it hard enough, the attackers will find another target. Time is valuable to them as well!

And if they hang around to continue searching for data, it makes them more likely to be found using UBA techniques.

Don’t build higher castle walls! Learn how UBA can protect you from the inside.


What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Penetration Testing Explained, Part V: Hash Dumping and Cracking
In the previous post in this series, I guessed a local password and then tried various ways to move laterally within my mythical Acme network. But what happens if you can’t...
Penetration Testing Explained, Part III: Playing with RATs and Reverse Shells
Last week I broke into a Windows 2008 server and inserted a remote access trojan or RAT. Don’t call security, I did this in a contained environment within virtual machines....
Penetration Testing Explained, Part IV: Making the Lateral Move
You can think about the post-exploitation part of penetration testing as an army or rebel force living off the land. You’re scrounging around the victim’s website using what’s available —...
Penetration Testing Explained, Part VI: Passing the Hash
We’re now at a point in this series where we’ve exhausted all our standard tricks to steal credentials — guessing passwords, or brute force attacks on the hash itself.  What’s...