Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
103 lines
3.1 KiB
YAML
103 lines
3.1 KiB
YAML
---
|
|
attack_technique: T1002
|
|
display_name: Data Compressed
|
|
|
|
atomic_tests:
|
|
- name: Compress Data for Exfiltration With PowerShell
|
|
description: |
|
|
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
input_file:
|
|
description: Path that should be compressed into our output file
|
|
type: Path
|
|
default: C:\*
|
|
output_file:
|
|
description: Path where resulting compressed data should be placed
|
|
type: Path
|
|
default: C:\test\Data.zip
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
|
|
|
|
- name: Compress Data for Exfiltration With Rar
|
|
description: |
|
|
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
input_file:
|
|
description: Path that should be compressed into our output file
|
|
type: Path
|
|
default: "*.docx"
|
|
output_file:
|
|
description: Path where resulting compressed data should be placed
|
|
type: Path
|
|
default: exfilthis.rar
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
rar a -r #{output_file} #{input_file}
|
|
|
|
- name: Data Compressed - nix - zip
|
|
description: |
|
|
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
input_files:
|
|
description: Path that should be compressed into our output file, may include wildcards
|
|
type: Path
|
|
default: /tmp/victim-files/*
|
|
output_file:
|
|
description: Path that should be output as a zip archive
|
|
type: Path
|
|
default: /tmp/victim-files.zip
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
zip #{output_file} #{input_files}
|
|
|
|
- name: Data Compressed - nix - gzip Single File
|
|
description: |
|
|
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
input_file:
|
|
description: Path that should be compressed
|
|
type: Path
|
|
default: /tmp/victim-gzip.txt
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
gzip -f #{input_file}
|
|
|
|
- name: Data Compressed - nix - tar Folder or File
|
|
description: |
|
|
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
input_file_folder:
|
|
description: Path that should be compressed
|
|
type: Path
|
|
default: /tmp/victim-files/
|
|
output_file:
|
|
description: File that should be output
|
|
type: Path
|
|
default: /tmp/victim-files.tar.gz
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
tar -cvzf #{output_file} #{input_file_folder} |