Atomic Red Team doc generator
17 lines
1.3 KiB
YAML
17 lines
1.3 KiB
YAML
attack_technique: T1025
|
|
display_name: Data from Removable Media
|
|
atomic_tests:
|
|
- name: Identify Documents on USB and Removable Media via PowerShell
|
|
auto_generated_guid: 0b29f7e3-a050-44b7-bf05-9fb86af1ec2e
|
|
description: |
|
|
This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files
|
|
(e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files
|
|
matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics
|
|
how adversaries might scan for sensitive documents on removable devices for exfiltration or analysis.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"
|