Skip to content
.ca
sign in
5 minhigh

Intelligence Center

Threat actors increasingly abuse legitimate native utilities, third-party tools, and cloud service clients for data exfiltration, bypassing traditional static detections. The Exfiltration Framework models the behavioral and forensic characteristics of these tools to enable detection based on execution context, network patterns, and artifact persistence rather than tool presence.

Conf:highAnalyzed:2026-03-19reports

Authors: Maria Jose Erquiaga, Darin Smith

ActorsCL0P ransomware groupLEMURLOOT web shell
RansomwareData ExfiltrationCVE-2023-34362LOLBASMOVEit

Source:Cisco Talos

IOCs · 2

Key Takeaways

  • Legitimate tools are frequently abused for data exfiltration, making tool presence alone an unreliable detection signal.
  • Detection difficulty increases with tool legitimacy and native or cloud integration.
  • Behavioral signals such as execution context, timing, data volume, authentication, and destination are more reliable than static indicators.
  • Masquerading and low-and-slow transfer techniques exploit trust assumptions and volume-based detection thresholds.
  • Effective detection requires correlating endpoint, network, and cloud telemetry and baselining expected tool behavior.

Affected Systems

  • Windows
  • Cloud Environments (AWS, Azure, Google Cloud)
  • MOVEit Transfer

Vulnerabilities (CVEs)

  • CVE-2023-34362

Attack Chain

Attackers exploit vulnerabilities like CVE-2023-34362 in MOVEit Transfer to deploy the LEMURLOOT web shell. Instead of introducing custom exfiltration malware, they abuse the platform's native authenticated download functionality to enumerate databases and exfiltrate data at scale. They utilize custom HTTP headers to interact with the web shell, recreate service accounts with elevated privileges, and perform high-frequency bulk downloads, blending in with legitimate network traffic.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules but introduces the Exfiltration Framework, which outlines behavioral focus areas such as execution context, network behavior, and forensic artifacts for building custom detections.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can see process executions and parent-child relationships, but since legitimate tools are used, distinguishing malicious from benign activity requires complex behavioral baselining. Network Visibility: Medium — Network traffic often uses standard HTTPS to legitimate cloud providers, making it blend in. High-frequency downloads or unusual destinations can be spotted with baseline comparisons. Detection Difficulty: Hard — Attackers use legitimate, allow-listed tools and cloud services, meaning static IOCs are ineffective and detections must rely on contextual anomalies and behavioral baselines.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • Network Flow Logs
  • Web Server Logs (IIS)
  • Cloud Audit Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual parent-child process relationships involving built-in utilities like PowerShell or robocopy executing from unexpected directories.Process CreationExecutionMedium
Identify high-frequency authenticated HTTPS downloads or bulk file access patterns originating from web application directories.Web Server LogsExfiltrationMedium
Monitor for cloud storage clients initiating long-lived outbound connections to unapproved or external cloud tenants.Network Flow LogsExfiltrationHigh
Detect the presence of unexpected .aspx files in webroot directories, particularly those associated with managed file transfer applications.File CreationPersistenceLow

Control Gaps

  • Allow-listing of cloud providers in network security controls
  • Implicit trust of built-in OS utilities
  • Lack of behavioral baselining for data transfer volumes

Key Behavioral Indicators

  • Unexpected parent processes for LOLBins
  • Renamed binaries of known sync tools (e.g., rclone)
  • Custom HTTP headers in web traffic (e.g., X-siLock)
  • Small, incremental data transfers over extended periods

False Positive Assessment

  • High

Recommendations

Immediate Mitigation

  • Review web server directories for unauthorized .aspx files (e.g., human2.aspx).
  • Monitor for specific HTTP headers (X-siLock-*) associated with LEMURLOOT.

Infrastructure Hardening

  • Implement strict network segmentation for managed file transfer servers.
  • Restrict outbound network access from servers to only required destinations, avoiding blanket allow-lists for cloud providers.

User Protection

  • Enforce application control to block unauthorized execution of third-party sync tools like rclone or Syncthing if not required for business operations.

Security Awareness

  • Educate SOC analysts on the Exfiltration Framework and the shift from custom malware to LOLBAS for data exfiltration.

MITRE ATT&CK Mapping

  • T1030 - Data Transfer Size Limits
  • T1567 - Exfiltration Over Web Service
  • T1059 - Command and Scripting Interpreter
  • T1036 - Masquerading
  • T1505.003 - Server Software Component: Web Shell
  • T1190 - Exploit Public-Facing Application
  • T1078.004 - Valid Accounts: Cloud Accounts

Additional IOCs

  • Urls:
    • GET /human.aspx - Network artifact for LEMURLOOT
    • GET /human2.aspx - Network artifact for LEMURLOOT
    • GET /download?id=* - High-frequency download pattern during MOVEit exploitation
    • GET /download?FileID=<id>&FolderID=<id> - Bulk file exfiltration through web shell
  • File Paths:
    • %SystemDrive%\inetpub\logs\LogFiles\W3SVC* - IIS log files containing MOVEit exploitation artifacts
  • Other:
    • X-siLock-Comment - HTTP header used by LEMURLOOT web shell

Related