security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2024-10-25 00:22:17 +00:00
parent e701a4aa3e
commit a9f4ffeb4f
25 changed files with 114 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1025/T1025.md
+42
View File
@@ -0,0 +1,42 @@
# T1025 - Data from Removable Media
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1025)
<blockquote>Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Identify Documents on USB and Removable Media via PowerShell](#atomic-test-1---identify-documents-on-usb-and-removable-media-via-powershell)
<br/>
## Atomic Test #1 - Identify Documents on USB and Removable Media via PowerShell
This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files
(e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files
matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics
how adversaries might scan for sensitive documents on removable devices for exfiltration or analysis.
**Supported Platforms:** Windows
**auto_generated_guid:** 0b29f7e3-a050-44b7-bf05-9fb86af1ec2e
#### Attack Commands: Run with `command_prompt`!
```cmd
powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"
```
<br/>
atomics/T1025/T1025.yaml
+1
View File
@@ -2,6 +2,7 @@ attack_technique: T1025
display_name: Data from Removable Media
atomic_tests:
- name: Identify Documents on USB and Removable Media via PowerShell
auto_generated_guid: 0b29f7e3-a050-44b7-bf05-9fb86af1ec2e
description: |
This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files
(e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files