Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -137,6 +137,8 @@ collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShe
 collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
 collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
 collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
+collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Administive share with copy,6ed67921-1774-44ba-bac6-adb51ed60660,command_prompt
+collection,T1039,Data from Network Shared Drive,2,Copy a sensitive File over Administive share with Powershell,7762e120-5879-44ff-97f8-008b401b9a98,powershell
 collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -92,6 +92,8 @@ collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands
 collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
 collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
 collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
+collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Administive share with copy,6ed67921-1774-44ba-bac6-adb51ed60660,command_prompt
+collection,T1039,Data from Network Shared Drive,2,Copy a sensitive File over Administive share with Powershell,7762e120-5879-44ff-97f8-008b401b9a98,powershell
 collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 collection,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -213,7 +213,9 @@
 - T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1039 Data from Network Shared Drive](../../T1039/T1039.md)
+  - Atomic Test #1: Copy a sensitive File over Administive share with copy [windows]
+  - Atomic Test #2: Copy a sensitive File over Administive share with Powershell [windows]
 - T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -154,7 +154,9 @@
 - T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1039 Data from Network Shared Drive](../../T1039/T1039.md)
+  - Atomic Test #1: Copy a sensitive File over Administive share with copy [windows]
+  - Atomic Test #2: Copy a sensitive File over Administive share with Powershell [windows]
 - T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Matrices/matrix.md

@@ -19,7 +19,7 @@
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DCSync](../../T1003.006/T1003.006.md) | [Group Policy Discovery](../../T1615/T1615.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [Forced Authentication](../../T1187/T1187.md) | [Local Groups](../../T1069.001/T1069.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [Forced Authentication](../../T1187/T1187.md) | [Local Groups](../../T1069.001/T1069.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Network Shared Drive](../../T1039/T1039.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | [Native API](../../T1106/T1106.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Network Sniffing](../../T1040/T1040.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/windows-matrix.md

@@ -15,7 +15,7 @@
 | [Replication Through Removable Media](../../T1091/T1091.md) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DCSync](../../T1003.006/T1003.006.md) | [Local Groups](../../T1069.001/T1069.001.md) | [Replication Through Removable Media](../../T1091/T1091.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [Forced Authentication](../../T1187/T1187.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [Forced Authentication](../../T1187/T1187.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Network Shared Drive](../../T1039/T1039.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Control Panel](../../T1218.002/T1218.002.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Execution](../../T1569.002/T1569.002.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/index.yaml

@@ -9174,7 +9174,104 @@ collection:
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       created: '2017-05-31T21:30:41.022Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1039
+    atomic_tests:
+    - name: Copy a sensitive File over Administive share with copy
+      auto_generated_guid: 6ed67921-1774-44ba-bac6-adb51ed60660
+      description: |-
+        Copy from sensitive File from the c$ of another LAN computer with copy cmd
+        https://twitter.com/SBousseaden/status/1211636381086339073
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote:
+          description: Remote server name
+          type: string
+          default: 127.0.0.1
+        share_file:
+          description: Remote Path to the file
+          type: Path
+          default: Windows\temp\Easter_Bunny.password
+        local_file:
+          description: Local name
+          type: string
+          default: Easter_egg.password
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Administrative share must exist on #{remote}
+
+'
+        prereq_command: 'if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host ''Please Enable "C$" share on #{remote}''
+
+'
+      - description: '"\\#{remote}\C$\#{share_file}" must exist on #{remote}
+
+'
+        prereq_command: 'if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else
+          {exit 1}
+
+'
+        get_prereq_command: 'Out-File -FilePath "\\#{remote}\C$\#{share_file}"
+
+'
+      executor:
+        command: copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}
+        cleanup_command: |-
+          del \\#{remote}\C$\#{share_file}
+          del %TEMP%\#{local_file}
+        name: command_prompt
+        elevation_required: true
+    - name: Copy a sensitive File over Administive share with Powershell
+      auto_generated_guid: 7762e120-5879-44ff-97f8-008b401b9a98
+      description: |-
+        Copy from sensitive File from the c$ of another LAN computer with powershell
+        https://twitter.com/SBousseaden/status/1211636381086339073
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote:
+          description: Remote server name
+          type: string
+          default: 127.0.0.1
+        share_file:
+          description: Remote Path to the file
+          type: Path
+          default: Windows\temp\Easter_Bunny.password
+        local_file:
+          description: Local name
+          type: string
+          default: Easter_egg.password
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Administrative share must exist on #{remote}
+
+'
+        prereq_command: 'if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host ''Please Enable "C$" share on #{remote}''
+
+'
+      - description: '"\\#{remote}\C$\#{share_file}" must exist on #{remote}
+
+'
+        prereq_command: 'if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else
+          {exit 1}
+
+'
+        get_prereq_command: 'Out-File -FilePath "\\#{remote}\C$\#{share_file}"
+
+'
+      executor:
+        command: copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"
+        cleanup_command: |-
+          Remove-Item -Path "\\#{remote}\C$\#{share_file}"
+          Remove-Item -Path "$Env:TEMP\#{local_file}"
+        name: powershell
+        elevation_required: true
   T1025:
     technique:
       object_marking_refs:

atomics/T1039/T1039.md

@@ -0,0 +1,135 @@
+# T1039 - Data from Network Shared Drive
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1039)
+<blockquote>Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Copy a sensitive File over Administive share with copy](#atomic-test-1---copy-a-sensitive-file-over-administive-share-with-copy)
+
+- [Atomic Test #2 - Copy a sensitive File over Administive share with Powershell](#atomic-test-2---copy-a-sensitive-file-over-administive-share-with-powershell)
+
+
+<br/>
+
+## Atomic Test #1 - Copy a sensitive File over Administive share with copy
+Copy from sensitive File from the c$ of another LAN computer with copy cmd
+https://twitter.com/SBousseaden/status/1211636381086339073
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6ed67921-1774-44ba-bac6-adb51ed60660
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote | Remote server name | string | 127.0.0.1|
+| share_file | Remote Path to the file | Path | Windows&#92;temp&#92;Easter_Bunny.password|
+| local_file | Local name | string | Easter_egg.password|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}
+```
+
+#### Cleanup Commands:
+```cmd
+del \\#{remote}\C$\#{share_file}
+del %TEMP%\#{local_file}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Administrative share must exist on #{remote}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host 'Please Enable "C$" share on #{remote}'
+```
+##### Description: "\\#{remote}\C$\#{share_file}" must exist on #{remote}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Out-File -FilePath "\\#{remote}\C$\#{share_file}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Copy a sensitive File over Administive share with Powershell
+Copy from sensitive File from the c$ of another LAN computer with powershell
+https://twitter.com/SBousseaden/status/1211636381086339073
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7762e120-5879-44ff-97f8-008b401b9a98
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote | Remote server name | string | 127.0.0.1|
+| share_file | Remote Path to the file | Path | Windows&#92;temp&#92;Easter_Bunny.password|
+| local_file | Local name | string | Easter_egg.password|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "\\#{remote}\C$\#{share_file}"
+Remove-Item -Path "$Env:TEMP\#{local_file}"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Administrative share must exist on #{remote}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host 'Please Enable "C$" share on #{remote}'
+```
+##### Description: "\\#{remote}\C$\#{share_file}" must exist on #{remote}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Out-File -FilePath "\\#{remote}\C$\#{share_file}"
+```
+
+
+
+
+<br/>