Updated T1002 (#655)

atomics/T1002/T1002.yaml

@@ -1,7 +1,7 @@
 ---
 attack_technique: T1002
 display_name: Data Compressed
-
+# Changed to dir User Profile instead of entire C: directory 
 atomic_tests:
 - name: Compress Data for Exfiltration With PowerShell
   description: |
@@ -12,16 +12,18 @@ atomic_tests:
     input_file:
       description: Path that should be compressed into our output file
       type: Path
-      default: C:\*
+      default: $env:USERPROFILE
     output_file:
       description: Path where resulting compressed data should be placed
       type: Path
-      default: C:\test\Data.zip
+      default: $env:USERPROFILE\data.zip
   executor:
     name: powershell
     elevation_required: false
     command: |
       dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
+    cleanup_command: |
+      Remove-Item -path #{output_file}
 
 - name: Compress Data for Exfiltration With Rar
   description: |
@@ -29,19 +31,27 @@ atomic_tests:
   supported_platforms:
     - windows
   input_arguments:
-    input_file:
+    input_path:
       description: Path that should be compressed into our output file
       type: Path
-      default: "*.docx"
+      default: '%USERPROFILE%'
+    file_extension:
+      description: Extension of files to compress
+      type: String
+      default: ".txt"
     output_file:
       description: Path where resulting compressed data should be placed
       type: Path
-      default: exfilthis.rar
+      default: '%USERPROFILE%\data.rar'
   executor:
     name: command_prompt
     elevation_required: false
+    prereq_command: |
+      rar /?
     command: |
-      rar a -r #{output_file} #{input_file}
+      rar a -r #{output_file} #{input_path}*{file_extension}
+    cleanup_command:
+      del -f #{output_file}
 
 - name: Data Compressed - nix - zip
   description: |
@@ -53,16 +63,20 @@ atomic_tests:
     input_files:
       description: Path that should be compressed into our output file, may include wildcards
       type: Path
-      default: /tmp/victim-files/*
+      default: $HOME/*.txt
     output_file:
       description: Path that should be output as a zip archive
       type: Path
-      default: /tmp/victim-files.zip
+      default: $HOME/data.zip
   executor:
     name: sh
     elevation_required: false
+    prereq_command: |
+      ls #{input_file}
     command: |
       zip #{output_file} #{input_files}
+    cleanup_command:
+      rm -f #{output_file}
 
 - name: Data Compressed - nix - gzip Single File
   description: |
@@ -74,12 +88,18 @@ atomic_tests:
     input_file:
       description: Path that should be compressed
       type: Path
-      default: /tmp/victim-gzip.txt
+      default: $HOME/victim-gzip.txt
+    input_content:
+      description: contents of compressed files if file does not already exist. default contains test credit card and social security number
+      type: String
+      default: 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101'
   executor:
     name: sh
     elevation_required: false
     command: |
-      gzip -f #{input_file}
+      test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
+    cleanup_command: |
+      rm -f #{input_file}.gz
 
 - name: Data Compressed - nix - tar Folder or File
   description: |
@@ -91,13 +111,17 @@ atomic_tests:
     input_file_folder:
       description: Path that should be compressed
       type: Path
-      default: /tmp/victim-files/
+      default: '$HOME/$USERNAME'
     output_file:
       description: File that should be output
       type: Path
-      default: /tmp/victim-files.tar.gz
+      default: '$HOME/data.tar.gz'
   executor:
     name: sh
     elevation_required: false
+    prereq_command: |
+      test -e #{input_file_folder}
     command: |
-      tar -cvzf #{output_file} #{input_file_folder}
+      tar -cvzf #{output_file} #{input_file_folder}
+    cleanup_command: |
+      rm -f #{output_file}