Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

contact@drivebadger.com

The main Drive Badger advantage over ad-hoc exfiltration scripts is a set of over 400 unique exclusion rules, which reduce the amount of files to be copied by eliminating low-value files and directories from the list, thus save typically over 95% of the time, that would be spent by "naive" script - eg. Windows system files.

Thanks to these rules, the whole exfiltration operation of typical office computer takes usually below 2 minutes.

That's just speed advantage. Check also other advantages of Drive Badger.

Functional groups

All rules are divided into 14 functional groups. Each group is a separate repository and can be configured on Drive Badger or Mobile Badger devices separately from others:

exclude-windows

  • Windows system files
  • common Microsoft software: Office, OneDrive, Edge, Windows Live - except for:
    • OEM preinstalled trial versions of Microsoft Office (provided by exclude-oem repository)
    • instant messaging and video conferencing software (provided by exclude-messaging repository)

exclude-linux

  • Linux system directories (either generic or Debian-style)

exclude-macos

  • Mac OS system directories (tested on Yosemite and Catalina)

exclude-oem

  • hardware drivers, including for common peripheral devices (Creative soundcards, HP printers etc.)
  • preinstalled trial versions of Microsoft Office
  • preinstalled OEM software (Acer, Dell, Fujitsu etc.) - except for:
    • antivirus and other security software (provided by exclude-antivirus repository)
    • OEM games, game launchers and other related tools (provided by exclude-gaming repository)
    • PDF related software (provided by exclude-pdf repository)
    • trial versions of image/audio/video recording/editing/streaming software (provided by exclude-digital repository)

exclude-antivirus

  • virus databases for many anti-virus products
  • other downloaded updates for such software
  • quarantined files (almost always in encrypted form, useless for anyone other than particular software vendor)

exclude-software

  • additional browsers: Google Chrome, Opera, Firefox
  • alternative office software: LibreOffice, Mozilla Thunderbird
  • remote work software: TeamViewer
  • multimedia viewers: IrfanView, VLC, movie codecs
  • productivity software: Evernote, Notepad++
  • Java

exclude-pdf

  • PDF readers/writers: Adobe Reader, Foxit Reader, Foxit PhantomPDF, novaPDF, PDF Architect, PDFCreator, PDFsam

exclude-messaging

  • instant messaging and video conferencing software (Teams, Slack, Skype, Zoom, WebEx and others)

exclude-devel

  • Android Studio
  • Microsoft Visual Studio
  • Microsoft SQL Server
  • database management tools (PostgreSQL pgAdmin, SQL Server Management Studio)
  • hypervisors (VirtualBox, VMware)
  • various Jetbrains software
  • various tools and SDKs

exclude-digital

  • image/audio/video recording/editing/streaming software - except for:
    • image/audio/video players (eg. IrfanView, VLC)
    • video codecs (eg. K-Lite)
    • OEM preinstalled software (provided by exclude-oem repository)
    • Windows Live video editing software (provided by exclude-windows repository)
    • multimedia files (provided by exclude-user repository)

exclude-erp

  • installation files related to ERP/business software (mostly specific to Poland)

exclude-gaming

  • games (OEM preinstalled, games installed by users)
  • content related to browser games
  • game launchers
  • other gaming-related tools (except for generic video-recording/streaming software)

exclude-user

  • multimedia files (avi/mkv/rmvb movies, mp3/flac music)
  • image files containing encrypted filesystems
  • Mozilla Firefox/Thunderbird caches
  • Windows memory dumps
  • Windows search telemetry
  • Universal Windows Platform application cache

exclude-virtual

This special repository should be installed only in tandem with hook-virtual hook. It speeds up exfiltrating VMware and Hyper-V virtualization servers by excluding:

  • VMDK (for VMware), VHD/VHDX and other Hyper-V related virtual drive images
  • ISO images (mostly OS installation media)

Mentioned hook mounts these drive images just like local drives, and then recursively exfiltrates them.

Technical details

The actual exfiltration process is realized using rsync tool, with parameters --exclude-from for each group.

Each functional group is maintained as separate Git repository, containing exclude.list file. All repositories listed above are maintained as a part od Drive Badger project, so you can rely on their timeliness and quality.

You can fork each of these repositories and maintain these forks on your own. You can even create completely new sets of rules, and use them on your Drive Badger / Mobile Badger devices.