security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Zip a folder with PowerShell (#640)

Browse Source 
* add test to compress directory and delete it

* remove cleanup command sbecause I don't have a way to test them yet

* fix paths

* fix command misspelling

* zip into C drive

* fix paths to Temp finally

* move to data staging
This commit is contained in:
Andrew Beers
2019-11-18 07:28:44 -08:00
committed by Carrie Roberts
parent 232fb47eda
commit 65d0f6dc5d
3 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1022/T1022.yaml
+5 -5
View File
@@ -17,11 +17,11 @@ atomic_tests:
elevation_required: false
command: |
echo "This file will be encrypted" > /tmp/victim-gpg.txt
mkdir /tmp/victim-files
mkdir PathToAtomicsFolder/T1022/victim-files
cd /tmp/victim-files
touch a b c d e f g
zip --password "insert password here" /tmp/victim-files.zip /tmp/victim-files/*
gpg -c /tmp/victim-gpg.txt
zip --password "insert password here" $PathToAtomicsFolder/victim-files.zip /tmp/victim-files/*
gpg -c $PathToAtomicsFolder/T1022/victim-gpg.txt
<enter passphrase and confirm>
ls -l
@@ -67,8 +67,8 @@ atomic_tests:
name: command_prompt
elevation_required: false
command: |
mkdir .\tmp\victim-files
cd .\tmp\victim-files
mkdir $PathToAtomicsFolder\T1022\victim-files
cd $PathToAtomicsFolder\T1022\victim-files
echo "This file will be encrypted" > .\encrypted_file.txt
7z a archive.7z -pblue
dir
atomics/T1074/T1074.yaml
+14 -1
View File
@@ -27,4 +27,17 @@ atomic_tests:
executor:
name: bash
command: |
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
- name: Zip a Folder with PowerShell
description: |
use living off the land tools to encrypt and zip a file for exfiltration
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_encrypt -DestinationPath $env:TEMP\Folder_to_encrypt.zip
cleanup_command: |
Remove-Item -Path $env:TEMP\Folder_to_encrypt.zip
atomics/T1074/bin/Folder_to_encrypt/T1022.txt
View File