Find sigma rule
Attack: Exfiltration Over Web Service: Exfiltration to Cloud Storage
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.
MITRE
Tactic
- exfiltration
technique
- T1567.002
Test : Exfiltrate data with rclone to cloud Storage - Mega (Windows)
OS
- windows
Description:
This test uses rclone to exfiltrate data to a remote cloud storage instance. (Mega) See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
Executor
powershell
Sigma Rule
-
proc_creation_win_pua_rclone_execution.yml (id: e37db05d-d1f9-49c8-b464-cee1a4b11638)
-
proc_creation_win_susp_ntfs_short_name_path_use_cli.yml (id: 349d891d-fef0-4fe4-bc53-eee623a15969)