From a83fbd47d69c8a15cd873946a5a257947526b500 Mon Sep 17 00:00:00 2001
From: JB <35406993+cherokeejb@users.noreply.github.com>
Date: Mon, 30 Dec 2019 09:26:55 -0600
Subject: [PATCH] corrections to test 1 (zip & gpg test with .sh) (#742)

* corrections to test 1 (zip & gpg test with .sh)

-corrected test with attempt to keep spirit of the original author
-(would probably be better to break into 2 tests or re-evaluate in context of entire recent T1022, but wanted to fix obvious errors)
-requires gpg which is not on all linux so added as a prereq
-corrected a missing $ in variable reference
-corrected bash syntax

* fixes per reviewer, added cleanup, and combined zip & gpg

-went ahead and just made it where used both gpg and zip on the same file
-added cleanup
-made all files to tmp as requested

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1022/T1022.yaml | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/atomics/T1022/T1022.yaml b/atomics/T1022/T1022.yaml
index 29e1343c..8e3bc94d 100644
--- a/atomics/T1022/T1022.yaml
+++ b/atomics/T1022/T1022.yaml
@@ -3,27 +3,29 @@ attack_technique: T1022
 display_name: Data Encrypted
 
 atomic_tests:
-- name: Data Encrypted with zip and gpg
+- name: Data Encrypted with zip and gpg symmetric
   description: |
     Encrypt data for exiltration
   supported_platforms:
     - macos
-    - centos
-    - ubuntu
     - linux
 
   executor:
     name: sh
     elevation_required: false
+    prereq_command: which gpg
     command: |
-      echo "This file will be encrypted" > /tmp/victim-gpg.txt
-      mkdir PathToAtomicsFolder/T1022/victim-files
+      mkdir /tmp/victim-files
       cd /tmp/victim-files
       touch a b c d e f g
-      zip --password "insert password here" $PathToAtomicsFolder/victim-files.zip /tmp/victim-files/*
-      gpg -c $PathToAtomicsFolder/T1022/victim-gpg.txt
-      <enter passphrase and confirm>
+      echo "creating zip with password 'insert password here'"
+      zip --password "insert password here" ./victim-files.zip ./*
+      echo "encrypting file with gpg, you will need to provide a password"
+      gpg -c /tmp/victim-files/victim-filex.zip
+      #<enter passphrase and confirm>
       ls -l
+    cleanup_command: |
+      rm -Rf /tmp/victim-files
 
 - name: Compress Data and lock with password for Exfiltration with winrar
   description: |