security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1560.001.yaml (#3132)

Browse Source 
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
This commit is contained in:
itsmeLevan
2025-08-12 04:54:19 +04:00
committed by GitHub
parent 69425eec3c
commit 58ff536735
1 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1560.001/T1560.001.yaml
+44
View File
@@ -413,3 +413,47 @@ atomic_tests:
makecab.exe #{input_file} #{output_file}
cleanup_command: |
del #{output_file}
- name: Copy and Compress AppData Folder
description: |
Copies the AppData folder, compresses it, and cleans up temporary files.
supported_platforms:
- windows
input_arguments:
destination_folder:
type: Path
default: $env:USERPROFILE\Desktop\AppDataCopy
description: Temporary copy location
zip_file_path:
type: Path
default: $env:USERPROFILE\Desktop\AppDataBackup.zip
description: ZIP archive path
dependencies:
- description: Requires admin and .NET compression libraries
prereq_command: |
if (-not ([Security.Principal.WindowsPrincipal] `
[Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
[Security.Principal.WindowsBuiltInRole]::Administrator)) { exit 1 }
if (-not (Test-Path "$env:USERPROFILE\AppData")) { exit 1 }
get_prereq_command: |
Run PowerShell as Administrator and ensure .NET compression assemblies are available.
executor:
name: powershell
elevation_required: true
command: |
$AppData="$env:USERPROFILE\AppData"
$Copy="#{destination_folder}"
$Zip="#{zip_file_path}"
if (Test-Path $Copy) { Remove-Item $Copy -Recurse -Force }
New-Item -ItemType Directory -Path $Copy | Out-Null
Get-ChildItem $AppData -Recurse -Force | ForEach-Object {
$rel = $_.FullName.Substring($AppData.Length + 1)
$dest = Join-Path $Copy $rel
if ($_.PSIsContainer) { New-Item -ItemType Directory -Path $dest -Force | Out-Null }
else { Copy-Item $_.FullName -Destination $dest -Force -ErrorAction SilentlyContinue }
}
Add-Type -AssemblyName System.IO.Compression.FileSystem
[System.IO.Compression.ZipFile]::CreateFromDirectory($Copy, $Zip, [System.IO.Compression.CompressionLevel]::Optimal, $false)