Although the purpose of this tool is to transfer files, this section is included to provide an overview of recommended countermeasures for addressing security risks, related to the tool's usage/implications (from an offensive/attacking perspective). It should be noted that these risks are not related to the usage of this tool, exclusively, but to file transfer/data exfiltration techniques via HTTP, in general.

Since applying preventive countermeasures, to address the implied security risks, is, almost exclusively, not an option (disabling HTTP OS-wide), the feasible approach is to apply mitigative countermeasures, where relevant and possible (to minimize the likelihood and impact of these risks, as much as possible). These countermeasures can be applied at various abstraction layers within a computer network:

• System-level (i.e. at operating systems)
• Network-level (i.e. at internal/local networks)
• Network perimeter-level (i.e. at Internet interaction points)

The following chapter provides a list of recommended mitigative countermeasures, per each abstraction layer mentioned. Most of these countermeasures require adapting to the target environment and can be implemented at various degrees, depending on the requirements, interests, current security maturity level and available resources of the target organization.

• system-level
  • restrict access to all OS binaries, according to the principle of least privilege [1]
    • at a minimum, ensure access to the following binaries is restricted
      • Linux - GTFOBins [2]
      • Windows - LOLBAS [3]
    • NOTE: if/where required, allow usage of any binaries that are required for performing business-related activities
  • restrict access to available functionality for any used management tools/utilities (e.g. PowerShell, using JEA), according to the principle of least privilege [1]
  • prevent installation of unallowed software (e.g. third party tools/utilities, (unauthorized) browser plugins)
  • restrict incoming/outgoing connections via local (i.e. system) firewall, according to the principle of least privilege [1]
  • perform system hardening (includes all previously mentioned points + additional OS-related measures)
  • perform technical IT security assessments of all production systems (desktop; server), on a regular (periodic) basis
  • implement a proven/effective endpoint Data Loss Prevention (DLP) solution
• network-level
  • perform network segmentation [4]
    • restrict incoming/outgoing connections, among network segments, using network-level firewall, according to the principle of least privilege [1]
  • perform internal network infrastructure penetration tests, on a regular (periodic) basis
  • implement a proven/effective network Data Loss Prevention (DLP) solution
• network perimeter-level
  • implement company-wide web proxy
    • implement allow-listing [5], according to the principle of least privilege [1]
  • selectively decrypt and inspect HTTP/HTTPS traffic for compliance, malware and data loss
  • monitor HTTP/HTTPS traffic via Security Information and Event Management (SIEM) solution
    • implement anomaly-based detection rules
      • monitor network traffic
      • monitor user behavior
  • perform external network infrastructure penetration tests, on a regular (periodic) basis

[1] https://en.wikipedia.org/wiki/Principle_of_least_privilege

[2] https://gtfobins.github.io/

[3] https://lolbas-project.github.io/

[4] https://en.wikipedia.org/wiki/Network_segmentation

[5] https://en.wikipedia.org/wiki/Whitelisting