Find sigma rule

Attack: Exfiltration Over Web Service: Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

MITRE

Tactic

exfiltration

technique

T1567.002

Test : Exfiltrate data with rclone to cloud Storage - Mega (Windows)

OS

windows

Description:

This test uses rclone to exfiltrate data to a remote cloud storage instance. (Mega) See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/

Executor

powershell

Sigma Rule

proc_creation_win_pua_rclone_execution.yml (id: e37db05d-d1f9-49c8-b464-cee1a4b11638)
proc_creation_win_susp_ntfs_short_name_path_use_cli.yml (id: 349d891d-fef0-4fe4-bc53-eee623a15969)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test