Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1733-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1734-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 
 Atomic Red Team™ is a library of tests mapped to the

atomics/Indexes/Indexes-CSV/index.csv

@@ -1535,6 +1535,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypte
 collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
 collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
 collection,T1560.001,Archive Collected Data: Archive via Utility,11,Compress a File for Exfiltration using Makecab,2a7bc405-9555-4f49-ace2-b2ae2941d629,command_prompt
+collection,T1560.001,Archive Collected Data: Archive via Utility,12,Copy and Compress AppData Folder,05e8942e-f04f-460a-b560-f7781257feec,powershell
 collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -1077,6 +1077,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data
 collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
 collection,T1560.001,Archive Collected Data: Archive via Utility,11,Compress a File for Exfiltration using Makecab,2a7bc405-9555-4f49-ace2-b2ae2941d629,command_prompt
+collection,T1560.001,Archive Collected Data: Archive via Utility,12,Copy and Compress AppData Folder,05e8942e-f04f-460a-b560-f7781257feec,powershell
 collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -2079,6 +2079,7 @@
   - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
   - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
   - Atomic Test #11: Compress a File for Exfiltration using Makecab [windows]
+  - Atomic Test #12: Copy and Compress AppData Folder [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
   - Atomic Test #1: Screencapture [macos]
   - Atomic Test #2: Screencapture (silent) [macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1486,6 +1486,7 @@
   - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
   - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
   - Atomic Test #11: Compress a File for Exfiltration using Makecab [windows]
+  - Atomic Test #12: Copy and Compress AppData Folder [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
   - Atomic Test #7: Windows Screencapture [windows]
   - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]

atomics/Indexes/index.yaml

@@ -84773,6 +84773,54 @@ collection:
         cleanup_command: 'del #{output_file}
 
           '
+    - name: Copy and Compress AppData Folder
+      auto_generated_guid: 05e8942e-f04f-460a-b560-f7781257feec
+      description: 'Copies the AppData folder, compresses it, and cleans up temporary
+        files.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        destination_folder:
+          type: Path
+          default: "$env:USERPROFILE\\Desktop\\AppDataCopy"
+          description: Temporary copy location
+        zip_file_path:
+          type: Path
+          default: "$env:USERPROFILE\\Desktop\\AppDataBackup.zip"
+          description: ZIP archive path
+      dependencies:
+      - description: Requires admin and .NET compression libraries
+        prereq_command: |
+          if (-not ([Security.Principal.WindowsPrincipal] `
+              [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
+              [Security.Principal.WindowsBuiltInRole]::Administrator)) { exit 1 }
+          if (-not (Test-Path "$env:USERPROFILE\AppData")) { exit 1 }
+        get_prereq_command: 'Run PowerShell as Administrator and ensure .NET compression
+          assemblies are available.
+
+          '
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $AppData="$env:USERPROFILE\AppData"
+          $Copy="#{destination_folder}"
+          $Zip="#{zip_file_path}"
+
+          if (Test-Path $Copy) { Remove-Item $Copy -Recurse -Force }
+          New-Item -ItemType Directory -Path $Copy | Out-Null
+
+          Get-ChildItem $AppData -Recurse -Force | ForEach-Object {
+            $rel = $_.FullName.Substring($AppData.Length + 1)
+            $dest = Join-Path $Copy $rel
+            if ($_.PSIsContainer) { New-Item -ItemType Directory -Path $dest -Force | Out-Null }
+            else { Copy-Item $_.FullName -Destination $dest -Force -ErrorAction SilentlyContinue }
+          }
+
+          Add-Type -AssemblyName System.IO.Compression.FileSystem
+          [System.IO.Compression.ZipFile]::CreateFromDirectory($Copy, $Zip, [System.IO.Compression.CompressionLevel]::Optimal, $false)
   T1113:
     technique:
       type: attack-pattern

atomics/Indexes/windows-index.yaml

@@ -70248,6 +70248,54 @@ collection:
         cleanup_command: 'del #{output_file}
 
           '
+    - name: Copy and Compress AppData Folder
+      auto_generated_guid: 05e8942e-f04f-460a-b560-f7781257feec
+      description: 'Copies the AppData folder, compresses it, and cleans up temporary
+        files.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        destination_folder:
+          type: Path
+          default: "$env:USERPROFILE\\Desktop\\AppDataCopy"
+          description: Temporary copy location
+        zip_file_path:
+          type: Path
+          default: "$env:USERPROFILE\\Desktop\\AppDataBackup.zip"
+          description: ZIP archive path
+      dependencies:
+      - description: Requires admin and .NET compression libraries
+        prereq_command: |
+          if (-not ([Security.Principal.WindowsPrincipal] `
+              [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
+              [Security.Principal.WindowsBuiltInRole]::Administrator)) { exit 1 }
+          if (-not (Test-Path "$env:USERPROFILE\AppData")) { exit 1 }
+        get_prereq_command: 'Run PowerShell as Administrator and ensure .NET compression
+          assemblies are available.
+
+          '
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $AppData="$env:USERPROFILE\AppData"
+          $Copy="#{destination_folder}"
+          $Zip="#{zip_file_path}"
+
+          if (Test-Path $Copy) { Remove-Item $Copy -Recurse -Force }
+          New-Item -ItemType Directory -Path $Copy | Out-Null
+
+          Get-ChildItem $AppData -Recurse -Force | ForEach-Object {
+            $rel = $_.FullName.Substring($AppData.Length + 1)
+            $dest = Join-Path $Copy $rel
+            if ($_.PSIsContainer) { New-Item -ItemType Directory -Path $dest -Force | Out-Null }
+            else { Copy-Item $_.FullName -Destination $dest -Force -ErrorAction SilentlyContinue }
+          }
+
+          Add-Type -AssemblyName System.IO.Compression.FileSystem
+          [System.IO.Compression.ZipFile]::CreateFromDirectory($Copy, $Zip, [System.IO.Compression.CompressionLevel]::Optimal, $false)
   T1113:
     technique:
       type: attack-pattern

atomics/T1560.001/T1560.001.md

@@ -36,6 +36,8 @@ Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZi
 
 - [Atomic Test #11 - Compress a File for Exfiltration using Makecab](#atomic-test-11---compress-a-file-for-exfiltration-using-makecab)
 
+- [Atomic Test #12 - Copy and Compress AppData Folder](#atomic-test-12---copy-and-compress-appdata-folder)
+
 
 <br/>
 
@@ -641,4 +643,68 @@ fsutil file createnew c:\Temp\sam.hiv 10485760
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #12 - Copy and Compress AppData Folder
+Copies the AppData folder, compresses it, and cleans up temporary files.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 05e8942e-f04f-460a-b560-f7781257feec
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| destination_folder | Temporary copy location | Path | $env:USERPROFILE&#92;Desktop&#92;AppDataCopy|
+| zip_file_path | ZIP archive path | Path | $env:USERPROFILE&#92;Desktop&#92;AppDataBackup.zip|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$AppData="$env:USERPROFILE\AppData"
+$Copy="#{destination_folder}"
+$Zip="#{zip_file_path}"
+
+if (Test-Path $Copy) { Remove-Item $Copy -Recurse -Force }
+New-Item -ItemType Directory -Path $Copy | Out-Null
+
+Get-ChildItem $AppData -Recurse -Force | ForEach-Object {
+  $rel = $_.FullName.Substring($AppData.Length + 1)
+  $dest = Join-Path $Copy $rel
+  if ($_.PSIsContainer) { New-Item -ItemType Directory -Path $dest -Force | Out-Null }
+  else { Copy-Item $_.FullName -Destination $dest -Force -ErrorAction SilentlyContinue }
+}
+
+Add-Type -AssemblyName System.IO.Compression.FileSystem
+[System.IO.Compression.ZipFile]::CreateFromDirectory($Copy, $Zip, [System.IO.Compression.CompressionLevel]::Optimal, $false)
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Requires admin and .NET compression libraries
+##### Check Prereq Commands:
+```powershell
+if (-not ([Security.Principal.WindowsPrincipal] `
+    [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
+    [Security.Principal.WindowsBuiltInRole]::Administrator)) { exit 1 }
+if (-not (Test-Path "$env:USERPROFILE\AppData")) { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Run PowerShell as Administrator and ensure .NET compression assemblies are available.
+```
+
+
+
+
 <br/>

atomics/T1560.001/T1560.001.yaml

@@ -415,6 +415,7 @@ atomic_tests:
       del #{output_file}
 
 - name: Copy and Compress AppData Folder
+  auto_generated_guid: 05e8942e-f04f-460a-b560-f7781257feec
   description: |
     Copies the AppData folder, compresses it, and cleans up temporary files.
   supported_platforms:

atomics/used_guids.txt

@@ -1757,3 +1757,4 @@ e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d
 1174b5df-2c33-490f-8854-f5eb80c907ca
 7693ccaa-8d64-4043-92a5-a2eb70359535
 b404caaa-12ce-43c7-9214-62a531c044f7
+05e8942e-f04f-460a-b560-f7781257feec