Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
28 lines
1.0 KiB
YAML
28 lines
1.0 KiB
YAML
attack_technique: T1560
|
|
display_name: Archive Collected Data
|
|
|
|
atomic_tests:
|
|
- name: Compress Data for Exfiltration With PowerShell
|
|
auto_generated_guid: 41410c60-614d-4b9d-b66e-b0192dd9c597
|
|
description: |
|
|
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
|
|
When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
input_file:
|
|
description: Path that should be compressed into our output file
|
|
type: path
|
|
default: $env:USERPROFILE
|
|
output_file:
|
|
description: Path where resulting compressed data should be placed
|
|
type: path
|
|
default: $env:USERPROFILE\T1560-data-ps.zip
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
|
|
cleanup_command: |-
|
|
Remove-Item -path #{output_file} -ErrorAction Ignore
|