Sherlock: covert data exfiltration platform

Where every second matters...

Sherlock is an USB device allowing very fast reconnaissance and data exfiltration from Windows computers and servers without user’s awareness. Advantages over other forensics tools:

  • "Every Second Matters": copy most valuable data at first
  • 100% invisible for target user (this is our #1 priority)
  • Disguise functionality (Excel, music player etc.)
  • DLP software evasion
  • Anti-virus software evasion
  • UAC evasion
  • Anti-debug protection
  • Compatible with all Windows versions since XP

Sherlock's core is a semi-intelligent data classifier, which analyzes the computer and finds out the most valuable directories, to copy them in that order. So no matter, how much time do you have before having to disconnect - you can always be sure that Sherlock will squeeze out the most value from every single second.

100% invisibility - our #1 priority

Sherlock is designed to audit computers seen for the first time, without user's knowledge and obviously without bringing user's attention (as it could result in breaking the audit process, alerting counterintelligence etc.).
Our #1 priority is to avoid any potential visible effects of the audit (eg. strange popups with warnings and error messages, alerts from anti-virus or other software, password dialogs, opening and closing console windows, switching window focus between opened windows etc.).

Careful testing

Each new version of Sherlock is extensively retested on all supported platforms to make sure there are no surprises. All new reconnaissance tools are carefully checked for side effects and overall behaviour.

DLP evasion

Sherlock detects presence of hidden DLP software (Safetica, ObserveIT, DeviceLock, McAfee DLP), and automatically changes the audit scope to prevent being detected and/or blocked.

AV heuristics evasion

Sherlock prevents being detected by anti-virus heuristics by using "trusted" Windows internal tools, eg. robocopy, powershell, sqlcmd etc. to perform the actual dirty work.

UAC evasion

UAC is tricked to show publisher name from other signed files, eg. parts of Windows system signed by Microsoft (and in most cases, UAC warnings are completely avoided).

Find out more...

Available disguises
Apart from Sherlock core, we created several solutions meant to trick user into starting the audit himself:
  • working(!) Excel spreadsheet (without any macros required, with real, working functionality of your chosen spreadsheet, even with working Ctrl+S to save changes)
  • MP3 player with real music, using any player software, that is already installed on the user's computer
  • installer of real software (Total Commander, Adobe Photoshop etc. – we offer 60 ready to use profiles)
Optional features
We can integrate several additional functionalities on request, eg.:
  • Scout/Soldier programs developed by HackingTeam (or any similar solution - but note that integrating publicly known programs may lead to detection by anti-virus or DLP software)
  • planting (also conditionally) provided files on target computer
  • data exfiltration through network (works much slower and introduces the risk of detection eg. by network monitoring, but doesn't require getting back the drive)
Hardware options
Sherlock can be installed on any USB drive, including classic pen drive, external USB (magnetic or SSD) disk, or even memory card connected through USB card reader.

For standard orders we use Cruzer Ultra Fit 64/128GB USB 3.0 drives (as on the above photo), because of their very high speed and very small size at the same time.

We also offer several custom versions:
  • integrated with Bash Bunny hardware platform
  • paired with USB Rubber Ducky hardware platform (as fully automatic audit initiator)
  • built using custom-style pen drive (eg. wedding, animals, funny, Star Wars, Angry Birds, Marvel heroes, The Simpsons)
  • USB 2.0 compatible, built using Cruzer Switch drives (note that almost all USB 2.0-only computers will properly recognize USB 3.0 drives without problems)

Note that Sherlock with full payload uses over 15GB of space.
Supported Windows versions
  • Windows XP Home/Professional 1
  • Windows Vista Home/Business 1
  • Windows 7 Starter to Ultimate
  • Windows 8 Standard to Enterprise
  • Windows 8.1 Standard to Enterprise
  • Windows 10 Home to Enterprise
  • Windows Server 2003, 2003 R2
  • Windows Server 2008, 2008 R2
  • Windows Server 2012, 2012 R2
  • Windows Server 2016
  • Windows Server Core 2008 R2 2
  • Windows Embedded Standard 7 2
  • Windows Embedded 8.1 Industry (Pro)

1 - disguises require installing .NET Framework 4.0 (installer is included on Sherlock device)

2 - limited functionality (disguises not working, less reconnaissance data collected, no support for exfiltrating SQL Server databases – but core exfiltration is working)
1. Core reconnaissance/exfiltration functionalities and a very basic disguise - $400
  • meant to be used openly, when there is no special need for hiding (or initiated using Bash Bunny or Rubber Ducky tools, sold separately)
  • this includes 1 free hour of email support and 1 free hour of fine tuning our exfiltration algorithm to eg. exalt particular data types, or target particular computer

2. Software installer disguise - $100 for 1, $400 for 10
  • really installs this particular software, in either latest or specified version
  • evading UAC
  • 60 ready to use profiles from simple tools like 7-Zip or Total Commander, through security tools like Avast, Comodo Firewall to ERP, medical, CAD and other specialized systems (contact us for the full list)
  • on request we can wrap any other software you need

3. Excel spreadsheet disguise - $300
  • really working spreadsheet
  • without requiring any macros
  • relying on Excel/LibreOffice version installed on user’s computer
  • supporting even saving changes and reloading spreadsheet
  • we can wrap your provided spreadsheet
  • protected against debugging and unauthorized copying

4. Music player disguise - $100 + $20 for each another MP3 file
  • can play your provided MP3 files
  • relying on player software already installed on the computer (eg. VLC, Windows Media Player, Winamp, Foobar)

5. Customization and support - $50 per hour

6. Hardware:
  • Cruzer Ultra Fit 128GB USB 3.0 - $60
  • Bash Bunny - $170 (discount available for bigger quantities)
  • USB Rubber Ducky - $120 (discount available for bigger quantities)
  • USB cables, hubs and other stuff allowing eg. hiding inside clothes – contact us for details
  • handling and shipping outside Poland - paid separately

All prices exclude VAT and other applicable taxes.
How to buy
Sherlock, being an offensive IT security device, can only be sold to law enforcement and intelligence agencies, private investigators, forensics experts, auditors, corporate "red" security teams and security researchers.

Before finalizing the deal we require signing NDA covering Sherlock technology, and the declaration that Sherlock will be used only for lawful purposes (including the legal basis, including the full exact name of the legal act, and article number(s), that apply to your case).

After finalizing the documents and discussing the best Sherlock configuration(s) for you, all payments can be done by bank transfers, or through Paypal, at your preference.