跳转至

窃取数据

攻击者试图窃取数据。

渗透包括攻击者可能用来从您的网络中窃取数据的技术。一旦他们收集了数据,对手通常会打包它以避免在删除数据时被发现。这可能包括压缩和加密。从目标网络获取数据的技术通常包括通过其命令和控制信道或备用信道传输数据,还可能包括对传输设置大小限制。

技术: 9

编号 名字 描述
T1020 自动渗透 攻击者可能会在收集期间收集数据后,通过使用自动处理来泄露数据,例如敏感文档。
.001 流量重复 攻击者可能会利用流量镜像来自动通过受损基础设施进行数据泄露。流量镜像是某些设备的本机功能,通常用于网络分析。例如,设备可以被配置为将网络流量转发到一个或多个目的地,以便由网络分析器或其他监视设备进行分析。
T1030 数据传输大小限制 攻击者可能会以固定大小的块而不是整个文件的形式泄露数据,或者将数据包大小限制在特定阈值以下。此方法可用于避免触发网络数据传输阈值警报。
T1048 替代协议的渗透 攻击者可以通过与现有命令和控制通道不同的协议泄露数据来窃取数据。数据也可以从主命令和控制服务器发送到备用网络位置。
.001 通过对称加密非 C2 协议的渗透 攻击者可以通过对称加密的网络协议(而不是现有命令和控制通道的协议)来窃取数据。数据也可以从主命令和控制服务器发送到备用网络位置。
.002 通过非对称加密非 C2 协议进行渗透 攻击者可以通过非对称加密的网络协议(而不是现有命令和控制通道的协议)泄露数据来窃取数据。数据也可以从主命令和控制服务器发送到备用网络位置。
.003 通过未加密的非 C2 协议进行渗透 攻击者可以通过未加密的网络协议(而不是现有命令和控制通道的网络协议)窃取数据来窃取数据。数据也可以从主命令和控制服务器发送到备用网络位置。
T1041 通过 C2 通道渗出 攻击者可以通过现有的命令和控制通道泄露数据来窃取数据。被盗数据使用与命令和控制通信相同的协议编码到正常通信通道中。
T1011 通过其他网络介质进行外泄 攻击者可能会尝试通过与命令和控制通道不同的网络介质泄露数据。如果命令和控制网络是有线互联网连接,则可能会发生外泄,例如,通过 WiFi 连接、调制解调器、蜂窝数据连接、蓝牙或其他射频 (RF) 通道。
.001 通过蓝牙渗透 攻击者可能会尝试通过蓝牙而不是命令和控制通道泄露数据。如果命令和控制网络是有线互联网连接,则攻击者可能会选择使用蓝牙通信通道泄露数据。
T1052 物理介质上的渗漏 攻击者可能会尝试通过物理介质(如可移动驱动器)泄露数据。在某些情况下,例如气隙网络入侵,可能会通过用户引入的物理介质或设备发生外泄。此类媒体可以是外部硬盘驱动器、USB 驱动器、手机、MP3 播放器或其他可移动存储和处理设备。物理介质或设备可以用作最终的渗透点,也可以在其他断开连接的系统之间跳跃。
.001 通过 USB 进行渗透 攻击者可能会尝试通过 USB 连接的物理设备泄露数据。在某些情况下,例如气隙网络入侵,可能会通过用户引入的 USB 设备发生外泄。USB 设备可用作最终的渗透点,或在断开连接的系统之间跳跃。
T1567 通过 Web 服务进行渗透 攻击者可能会使用现有的合法外部 Web 服务来泄露数据,而不是其主要命令和控制通道。充当外泄机制的常用 Web 服务可能会提供大量覆盖,因为网络中的主机在遭到入侵之前可能已经与它们通信。防火墙规则也可能已经存在,以允许流向这些服务的流量。
.001 渗透到代码存储库 攻击者可能会将数据泄露到代码存储库,而不是通过其主要命令和控制通道。代码存储库通常可通过 API 访问(例如:https://api.github.com)。对这些 API 的访问通常通过 HTTPS 进行,这为攻击者提供了额外的保护级别。
.002 渗透到云存储 攻击者可能会将数据泄露到云存储服务,而不是通过其主要命令和控制通道。云存储服务允许通过互联网从远程云存储服务器存储、编辑和检索数据。
.003 渗透到文本存储网站 攻击者可能会将数据泄露到文本存储站点,而不是其主要命令和控制通道。文本存储站点(如 )通常被开发人员用来共享代码和其他信息。pastebin[.]com
T1029 定时接送 攻击者可能会安排仅在一天中的特定时间或特定时间间隔执行数据泄露。这可以将流量模式与正常活动或可用性混合在一起。
T1537 将数据传输到云帐户 攻击者可能会通过将数据(包括云环境的备份)传输到他们在同一服务上控制的另一个云帐户来泄露数据,以避免典型的文件传输/下载和基于网络的泄露检测。

The adversary is trying to steal data.

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

Techniques: 9

ID Name Description
T1020 Automated Exfiltration Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.
.001 Traffic Duplication Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device.
T1030 Data Transfer Size Limits An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
T1048 Exfiltration Over Alternative Protocol Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
.003 Exfiltration Over Unencrypted Non-C2 Protocol Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
T1041 Exfiltration Over C2 Channel Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
T1011 Exfiltration Over Other Network Medium Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.
.001 Exfiltration Over Bluetooth Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
T1052 Exfiltration Over Physical Medium Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
.001 Exfiltration over USB Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
T1567 Exfiltration Over Web Service Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
.001 Exfiltration to Code Repository Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
.002 Exfiltration to Cloud Storage Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
.003 Exfiltration to Text Storage Sites Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.
T1029 Scheduled Transfer Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
T1537 Transfer Data to Cloud Account Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.