T1022 Updates (#470)
* T1022 Updates Bypass PR #351 (some weird issue in there). Update schema and tab completion. Credit to @samuelmarticotteBELL Thanks for the help! * Update T1022.yaml Fixed error * Update T1022.yaml space fix * Generate docs from job=validate_atomics_generate_docs branch=T1022
This commit is contained in:
Michael Haag
+62
-2
@@ -6,12 +6,18 @@ Other exfiltration techniques likely apply as well to transfer the information o
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Data Encrypted](#atomic-test-1---data-encrypted)
|
||||
- [Atomic Test #1 - Data Encrypted with zip and gpg](#atomic-test-1---data-encrypted-with-zip-and-gpg)
|
||||
|
||||
- [Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar](#atomic-test-2---compress-data-and-lock-with-password-for-exfiltration-with-winrar)
|
||||
|
||||
- [Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip](#atomic-test-3---compress-data-and-lock-with-password-for-exfiltration-with-winzip)
|
||||
|
||||
- [Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip](#atomic-test-4---compress-data-and-lock-with-password-for-exfiltration-with-7zip)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Data Encrypted
|
||||
## Atomic Test #1 - Data Encrypted with zip and gpg
|
||||
Encrypt data for exiltration
|
||||
|
||||
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
|
||||
@@ -29,3 +35,57 @@ gpg -c /tmp/victim-gpg.txt
|
||||
ls -l
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar
|
||||
Note: Requires winrar installation
|
||||
rar a -p"blue" hello.rar (VARIANT)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
mkdir ./tmp/victim-files
|
||||
cd ./tmp/victim-files
|
||||
echo "This file will be encrypted" > ./encrypted_file.txt
|
||||
rar a -hp"blue" hello.rar
|
||||
dir
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip
|
||||
Note: Requires winzip installation
|
||||
wzzip sample.zip -s"blueblue" *.txt (VARIANT)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
path=%path%;"C:\Program Files (x86)\winzip"
|
||||
mkdir ./tmp/victim-files
|
||||
cd ./tmp/victim-files
|
||||
echo "This file will be encrypted" > ./encrypted_file.txt
|
||||
winzip32 -min -a -s"hello" archive.zip *
|
||||
dir
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
|
||||
Note: Requires 7zip installation
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
mkdir ./tmp/victim-files
|
||||
cd ./tmp/victim-files
|
||||
echo "This file will be encrypted" > ./encrypted_file.txt
|
||||
7z a archive.7z -pblue
|
||||
dir
|
||||
```
|
||||
<br/>
|
||||
|
||||
@@ -3,10 +3,9 @@ attack_technique: T1022
|
||||
display_name: Data Encrypted
|
||||
|
||||
atomic_tests:
|
||||
- name: Data Encrypted
|
||||
- name: Data Encrypted with zip and gpg
|
||||
description: |
|
||||
Encrypt data for exiltration
|
||||
|
||||
supported_platforms:
|
||||
- macos
|
||||
- centos
|
||||
@@ -24,3 +23,48 @@ atomic_tests:
|
||||
gpg -c /tmp/victim-gpg.txt
|
||||
<enter passphrase and confirm>
|
||||
ls -l
|
||||
|
||||
- name: Compress Data and lock with password for Exfiltration with winrar
|
||||
description: |
|
||||
Note: Requires winrar installation
|
||||
rar a -p"blue" hello.rar (VARIANT)
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: |
|
||||
mkdir ./tmp/victim-files
|
||||
cd ./tmp/victim-files
|
||||
echo "This file will be encrypted" > ./encrypted_file.txt
|
||||
rar a -hp"blue" hello.rar
|
||||
dir
|
||||
|
||||
- name: Compress Data and lock with password for Exfiltration with winzip
|
||||
description: |
|
||||
Note: Requires winzip installation
|
||||
wzzip sample.zip -s"blueblue" *.txt (VARIANT)
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: |
|
||||
path=%path%;"C:\Program Files (x86)\winzip"
|
||||
mkdir ./tmp/victim-files
|
||||
cd ./tmp/victim-files
|
||||
echo "This file will be encrypted" > ./encrypted_file.txt
|
||||
winzip32 -min -a -s"hello" archive.zip *
|
||||
dir
|
||||
|
||||
- name: Compress Data and lock with password for Exfiltration with 7zip
|
||||
description: |
|
||||
Note: Requires 7zip installation
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: |
|
||||
mkdir ./tmp/victim-files
|
||||
cd ./tmp/victim-files
|
||||
echo "This file will be encrypted" > ./encrypted_file.txt
|
||||
7z a archive.7z -pblue
|
||||
dir
|
||||
|
||||
+4
-1
@@ -696,7 +696,10 @@
|
||||
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
|
||||
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
|
||||
- [T1022 Data Encrypted](./T1022/T1022.md)
|
||||
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
|
||||
- Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
|
||||
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
|
||||
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
|
||||
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
|
||||
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
|
||||
- Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
|
||||
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
|
||||
|
||||
+44
-1
@@ -18990,7 +18990,7 @@ exfiltration:
|
||||
created: '2017-05-31T21:30:30.260Z'
|
||||
identifier: T1022
|
||||
atomic_tests:
|
||||
- name: Data Encrypted
|
||||
- name: Data Encrypted with zip and gpg
|
||||
description: 'Encrypt data for exiltration
|
||||
|
||||
'
|
||||
@@ -19010,6 +19010,49 @@ exfiltration:
|
||||
gpg -c /tmp/victim-gpg.txt
|
||||
<enter passphrase and confirm>
|
||||
ls -l
|
||||
- name: Compress Data and lock with password for Exfiltration with winrar
|
||||
description: |
|
||||
Note: Requires winrar installation
|
||||
rar a -p"blue" hello.rar (VARIANT)
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: |
|
||||
mkdir ./tmp/victim-files
|
||||
cd ./tmp/victim-files
|
||||
echo "This file will be encrypted" > ./encrypted_file.txt
|
||||
rar a -hp"blue" hello.rar
|
||||
dir
|
||||
- name: Compress Data and lock with password for Exfiltration with winzip
|
||||
description: |
|
||||
Note: Requires winzip installation
|
||||
wzzip sample.zip -s"blueblue" *.txt (VARIANT)
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: |
|
||||
path=%path%;"C:\Program Files (x86)\winzip"
|
||||
mkdir ./tmp/victim-files
|
||||
cd ./tmp/victim-files
|
||||
echo "This file will be encrypted" > ./encrypted_file.txt
|
||||
winzip32 -min -a -s"hello" archive.zip *
|
||||
dir
|
||||
- name: Compress Data and lock with password for Exfiltration with 7zip
|
||||
description: 'Note: Requires 7zip installation
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: |
|
||||
mkdir ./tmp/victim-files
|
||||
cd ./tmp/victim-files
|
||||
echo "This file will be encrypted" > ./encrypted_file.txt
|
||||
7z a archive.7z -pblue
|
||||
dir
|
||||
T1030:
|
||||
technique:
|
||||
id: attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd
|
||||
|
||||
@@ -107,7 +107,7 @@
|
||||
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
|
||||
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
|
||||
- [T1022 Data Encrypted](./T1022/T1022.md)
|
||||
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
|
||||
- Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
|
||||
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
|
||||
- Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
|
||||
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
|
||||
|
||||
@@ -163,7 +163,7 @@
|
||||
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
|
||||
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
|
||||
- [T1022 Data Encrypted](./T1022/T1022.md)
|
||||
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
|
||||
- Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
|
||||
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
|
||||
- Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
|
||||
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
|
||||
|
||||
@@ -412,6 +412,9 @@
|
||||
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
|
||||
- Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
|
||||
- [T1022 Data Encrypted](./T1022/T1022.md)
|
||||
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
|
||||
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
|
||||
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
|
||||
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
|
||||
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
|
||||
- T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
Reference in New Issue
Block a user