From 5259c936c1f26f7ff162ca00640db226bc09aed0 Mon Sep 17 00:00:00 2001 From: Andras32 Date: Thu, 14 Nov 2019 21:37:26 -0600 Subject: [PATCH] Updated T1002 (#655) --- atomics/T1002/T1002.yaml | 52 +++++++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 14 deletions(-) diff --git a/atomics/T1002/T1002.yaml b/atomics/T1002/T1002.yaml index 522d5dad..00f368a4 100644 --- a/atomics/T1002/T1002.yaml +++ b/atomics/T1002/T1002.yaml @@ -1,7 +1,7 @@ --- attack_technique: T1002 display_name: Data Compressed - +# Changed to dir User Profile instead of entire C: directory atomic_tests: - name: Compress Data for Exfiltration With PowerShell description: | @@ -12,16 +12,18 @@ atomic_tests: input_file: description: Path that should be compressed into our output file type: Path - default: C:\* + default: $env:USERPROFILE output_file: description: Path where resulting compressed data should be placed type: Path - default: C:\test\Data.zip + default: $env:USERPROFILE\data.zip executor: name: powershell elevation_required: false command: | dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} + cleanup_command: | + Remove-Item -path #{output_file} - name: Compress Data for Exfiltration With Rar description: | @@ -29,19 +31,27 @@ atomic_tests: supported_platforms: - windows input_arguments: - input_file: + input_path: description: Path that should be compressed into our output file type: Path - default: "*.docx" + default: '%USERPROFILE%' + file_extension: + description: Extension of files to compress + type: String + default: ".txt" output_file: description: Path where resulting compressed data should be placed type: Path - default: exfilthis.rar + default: '%USERPROFILE%\data.rar' executor: name: command_prompt elevation_required: false + prereq_command: | + rar /? command: | - rar a -r #{output_file} #{input_file} + rar a -r #{output_file} #{input_path}*{file_extension} + cleanup_command: + del -f #{output_file} - name: Data Compressed - nix - zip description: | @@ -53,16 +63,20 @@ atomic_tests: input_files: description: Path that should be compressed into our output file, may include wildcards type: Path - default: /tmp/victim-files/* + default: $HOME/*.txt output_file: description: Path that should be output as a zip archive type: Path - default: /tmp/victim-files.zip + default: $HOME/data.zip executor: name: sh elevation_required: false + prereq_command: | + ls #{input_file} command: | zip #{output_file} #{input_files} + cleanup_command: + rm -f #{output_file} - name: Data Compressed - nix - gzip Single File description: | @@ -74,12 +88,18 @@ atomic_tests: input_file: description: Path that should be compressed type: Path - default: /tmp/victim-gzip.txt + default: $HOME/victim-gzip.txt + input_content: + description: contents of compressed files if file does not already exist. default contains test credit card and social security number + type: String + default: 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' executor: name: sh elevation_required: false command: | - gzip -f #{input_file} + test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file}) + cleanup_command: | + rm -f #{input_file}.gz - name: Data Compressed - nix - tar Folder or File description: | @@ -91,13 +111,17 @@ atomic_tests: input_file_folder: description: Path that should be compressed type: Path - default: /tmp/victim-files/ + default: '$HOME/$USERNAME' output_file: description: File that should be output type: Path - default: /tmp/victim-files.tar.gz + default: '$HOME/data.tar.gz' executor: name: sh elevation_required: false + prereq_command: | + test -e #{input_file_folder} command: | - tar -cvzf #{output_file} #{input_file_folder} \ No newline at end of file + tar -cvzf #{output_file} #{input_file_folder} + cleanup_command: | + rm -f #{output_file} \ No newline at end of file