security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create T1025.yaml (#2962)

Browse Source 
* Create T1025.yaml

* Update T1025.yaml

Edit command key structre.

---------

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
This commit is contained in:
Burak Karaduman
2024-10-25 03:21:23 +03:00
committed by GitHub
parent 487dd6f39c
commit e701a4aa3e
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1025/T1025.yaml
+15
View File
@@ -0,0 +1,15 @@
attack_technique: T1025
display_name: Data from Removable Media
atomic_tests:
- name: Identify Documents on USB and Removable Media via PowerShell
description: |
This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files
(e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files
matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics
how adversaries might scan for sensitive documents on removable devices for exfiltration or analysis.
supported_platforms:
- windows
executor:
name: command_prompt
command: |
powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"