Detecting Data Exfiltration Via the Use of SNICat

I used to have a cat who loved ice cream. I think I may have given her some as a kitten, and from then on, anytime that she saw someone eating ice cream she would do her best to try and steal some from them. And even if she didn’t really seem to enjoy a particular flavor, she still seemed driven to try and steal that person’s ice cream.

Like my cat stealing ice cream, bad guys are constantly trying to target organizations and their data for nefarious purposes.  And compared to the numerous flavors of ice cream that my cat exfiltrated, there are a number of different flavors of data exfiltration.

• Vanilla - Exfiltration via Box or other cloud storage
• Chocolate - Exfiltration via FTP/SCP, etc.
• Cookie Dough - Exfiltration over ICMP
• Rocky Road - Exfiltration over DNS
   

And just recently, a new flavor of data exfiltration has been seen in the freezer aisle.

• Cookies and Cream - Exfiltration via SNI
   

Mnemonic Labs recently released a very cool proof of concept blog showing how the TLS SNI extension can be used to exfiltrate data. This is very similar to data exfiltration using some of the other fancier flavors. Mnemonic’s work has shown that the SNI exfiltration method is successful in bypassing many security controls, which led me down a Splunk detection exercise.

Before diving in, here’s a bit of information around Mnemonic’s proof of concept code from their blog:

SNIcat comprises of two separate but interdependent components:

• A passive agent that should be dropped on the target and already compromised host. Its only goal is to connect back to the C2 and execute the provided commands.
• A C2 server which controls the agent from anywhere on the Internet.
   

In order to see the SNI information, I’m using Zeek to capture wire data. I’m then ingesting the Zeek data into Splunk, and through the use of the Splunk Decrypt App I’m able to decode the Base32 encoded SNI data (SNICat is using Base32 encoding for its exfiltration).

Here’s a quick walkthrough of what I did and the Splunk searches involved. For more information on the Mnemonic code, please refer to their blog post above.

• Launching the SNICat C2 server and connecting the agent code on their respective hosts:

• Here is the SNICat C2 running an LS command on the compromised host to list the files in the current directory (you can do other operations like CD to change directories if you want to explore elsewhere on the host).

The following search picks up the various SNICat commands being passed in the SNI field being captured via Zeek’s SSL decoder, and then ingested into Splunk. I’ve included an image showing the events captured as the SNICat C2 server runs through its various functions.

index=main sourcetype="bro:ssl:json" | rex field=server_name 
"(?<snicat>(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)" 
| stats count by snicat

• And finally, here is the SNICat C2 server selecting a file to exfiltrate via SNI. I’m choosing to exfiltrate the passwd file, just like any good adversary would.

• Here is a search to apply regex against the server_name field (the field we’ve populated with Zeek’s capture of the SNI information).

index=main sourcetype="bro:ssl:json" 
| search server_name=* 
| rex field=server_name "(?P<base32_encoded_sni>^[A-Z2-7]+=*)" 
| eval b32len=len(base32_encoded_sni) 
| where b32len>10 
| decrypt field=base32_encoded_sni b32() emit('base32_decoded_command') 
| table base32_decoded_command base32_encoded_sni

• And here are the resulting events with the decoded Base32 data showing the exfiltrated data (the bottom event is SNICat running the LS command to get the directory listing, the middle event is SNICat running its Size command to find file sizes, and the top event is the contents of the passwd file being exfiltrated). Obviously, this search can also be used to decode other data beyond SNICat behavior, which may help expose other methods of data exfiltration in your environment.
  

Here it is again, zoomed in for your viewing pleasure:

I will be adding the SNICat detection to Splunk’s Enterprise Security Content Update for use with Splunk Enterprise Security shortly, but for the time being, feel free to use the searches above.

Happy Splunking!