Generated docs from job=generate-docs branch=master [ci skip]

2023-09-19 19:51:19 +00:00
parent 9cb101bde7
commit 429bad7d5b
22 changed files with 175 additions and 8 deletions
@@ -1157,6 +1157,7 @@ collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
 collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
 collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
+collection,T1005,Data from Local System,1,Search files of interest and save them to a single zip file (Windows),d3d9af44-b8ad-4375-8b0a-4bff4b7e419c,powershell
 collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -786,6 +786,7 @@ collection,T1119,Automated Collection,4,Recon information for export with Comman
 collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
 collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
 collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
+collection,T1005,Data from Local System,1,Search files of interest and save them to a single zip file (Windows),d3d9af44-b8ad-4375-8b0a-4bff4b7e419c,powershell
 collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
 collection,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
@@ -1816,7 +1816,8 @@
  - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
  - Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1005 Data from Local System](../../T1005/T1005.md)
+  - Atomic Test #1: Search files of interest and save them to a single zip file (Windows) [windows]
 - [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md)
  - Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
  - Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
@@ -1284,7 +1284,8 @@
  - Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
  - Atomic Test #4: Collect Clipboard Data via VBA [windows]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1005 Data from Local System](../../T1005/T1005.md)
+  - Atomic Test #1: Search files of interest and save them to a single zip file (Windows) [windows]
 - T1560.002 Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1560 Archive Collected Data](../../T1560/T1560.md)
  - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
@@ -17,7 +17,7 @@
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Network Sniffing](../../T1040/T1040.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Direct Volume Access](../../T1006/T1006.md) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Application Window Discovery](../../T1010/T1010.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Active Setup](../../T1547.014/T1547.014.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Network Sniffing](../../T1040/T1040.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -15,7 +15,7 @@
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [System Information Discovery](../../T1082/T1082.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [System Information Discovery](../../T1082/T1082.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Local System](../../T1005/T1005.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [Application Window Discovery](../../T1010/T1010.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
@@ -47170,6 +47170,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -46944,6 +46944,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -46564,6 +46564,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -46390,6 +46390,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -46828,6 +46828,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -46957,6 +46957,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -46856,6 +46856,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -80183,7 +80183,45 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1005
+    atomic_tests:
+    - name: Search files of interest and save them to a single zip file (Windows)
+      auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
+      description: "This test searches for files of certain extensions and saves them
+        to a single zip file prior to extraction.                              \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        starting_directory:
+          description: Path to starting directory for the search
+          type: Path
+          default: C:\Users
+        output_zip_folder_path:
+          description: Path to directory for saving the generated zip file
+          type: Path
+          default: PathToAtomicsFolder\..\ExternalPayloads\T1005
+        file_extensions:
+          description: List of file extensions to be searched and zipped, separated
+            by comma and space
+          type: string
+          default: ".doc, .docx, .txt"
+      executor:
+        command: "$startingDirectory = \"#{starting_directory}\"\n$outputZip = \"#{output_zip_folder_path}\"\n$fileExtensionsString
+          = \"#{file_extensions}\" \n$fileExtensions = $fileExtensionsString -split
+          \", \"\n\nNew-Item -Type Directory $outputZip -ErrorAction Ignore -Force
+          | Out-Null\n\nFunction Search-Files {\n  param (\n    [string]$directory\n
+          \ )\n  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object
+          {\n    $fileExtensions -contains $_.Extension.ToLower()\n  }\n  return $files\n}\n\n$foundFiles
+          = Search-Files -directory $startingDirectory\nif ($foundFiles.Count -gt
+          0) {\n  $foundFilePaths = $foundFiles.FullName\n  Compress-Archive -Path
+          $foundFilePaths -DestinationPath \"$outputZip\\data.zip\"\n\n  Write-Host
+          \"Zip file created: $outputZip\\data.zip\"\n  } else {\n      Write-Host
+          \"No files found with the specified extensions.\"\n  }\n"
+        cleanup_command: 'Remove-Item -Path  $outputZip\data.zip -Force
+
+          '
+        name: powershell
+        elevation_required: false
  T1560.002:
    technique:
      x_mitre_platforms:
@@ -52924,6 +52924,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -50883,6 +50883,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -46571,6 +46571,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -46390,6 +46390,7 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1005
    atomic_tests: []
  T1560.002:
    technique:
@@ -68857,7 +68857,45 @@ collection:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1005
+    atomic_tests:
+    - name: Search files of interest and save them to a single zip file (Windows)
+      auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
+      description: "This test searches for files of certain extensions and saves them
+        to a single zip file prior to extraction.                              \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        starting_directory:
+          description: Path to starting directory for the search
+          type: Path
+          default: C:\Users
+        output_zip_folder_path:
+          description: Path to directory for saving the generated zip file
+          type: Path
+          default: PathToAtomicsFolder\..\ExternalPayloads\T1005
+        file_extensions:
+          description: List of file extensions to be searched and zipped, separated
+            by comma and space
+          type: string
+          default: ".doc, .docx, .txt"
+      executor:
+        command: "$startingDirectory = \"#{starting_directory}\"\n$outputZip = \"#{output_zip_folder_path}\"\n$fileExtensionsString
+          = \"#{file_extensions}\" \n$fileExtensions = $fileExtensionsString -split
+          \", \"\n\nNew-Item -Type Directory $outputZip -ErrorAction Ignore -Force
+          | Out-Null\n\nFunction Search-Files {\n  param (\n    [string]$directory\n
+          \ )\n  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object
+          {\n    $fileExtensions -contains $_.Extension.ToLower()\n  }\n  return $files\n}\n\n$foundFiles
+          = Search-Files -directory $startingDirectory\nif ($foundFiles.Count -gt
+          0) {\n  $foundFilePaths = $foundFiles.FullName\n  Compress-Archive -Path
+          $foundFilePaths -DestinationPath \"$outputZip\\data.zip\"\n\n  Write-Host
+          \"Zip file created: $outputZip\\data.zip\"\n  } else {\n      Write-Host
+          \"No files found with the specified extensions.\"\n  }\n"
+        cleanup_command: 'Remove-Item -Path  $outputZip\data.zip -Force
+
+          '
+        name: powershell
+        elevation_required: false
  T1560.002:
    technique:
      x_mitre_platforms:
@@ -0,0 +1,76 @@
+# T1005 - Data from Local System
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1005)
+<blockquote>Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
+
+Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Search files of interest and save them to a single zip file (Windows)](#atomic-test-1---search-files-of-interest-and-save-them-to-a-single-zip-file-windows)
+
+
+<br/>
+
+## Atomic Test #1 - Search files of interest and save them to a single zip file (Windows)
+This test searches for files of certain extensions and saves them to a single zip file prior to extraction.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| starting_directory | Path to starting directory for the search | Path | C:&#92;Users|
+| output_zip_folder_path | Path to directory for saving the generated zip file | Path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;T1005|
+| file_extensions | List of file extensions to be searched and zipped, separated by comma and space | string | .doc, .docx, .txt|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$startingDirectory = "#{starting_directory}"
+$outputZip = "#{output_zip_folder_path}"
+$fileExtensionsString = "#{file_extensions}" 
+$fileExtensions = $fileExtensionsString -split ", "
+
+New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
+
+Function Search-Files {
+  param (
+    [string]$directory
+  )
+  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
+    $fileExtensions -contains $_.Extension.ToLower()
+  }
+  return $files
+}
+
+$foundFiles = Search-Files -directory $startingDirectory
+if ($foundFiles.Count -gt 0) {
+  $foundFilePaths = $foundFiles.FullName
+  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
+
+  Write-Host "Zip file created: $outputZip\data.zip"
+  } else {
+      Write-Host "No files found with the specified extensions."
+  }
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path  $outputZip\data.zip -Force
+```
+
+
+
+
+
+<br/>