atomic-red-team/atomics/T1022/T1022.yaml at a956d4640f9186a7bd36d16a63f6d39433af5f1d · redcanaryco/atomic-red-team · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
---
attack_technique: T1022
display_name: Data Encrypted

atomic_tests:
- name: Data Encrypted with zip and gpg symmetric
  description: |
    Encrypt data for exiltration
  supported_platforms:
    - macos
    - linux

  executor:
    name: sh
    elevation_required: false
    prereq_command: which gpg
    command: |
      mkdir /tmp/victim-files
      cd /tmp/victim-files
      touch a b c d e f g
      echo "creating zip with password 'insert password here'"
      zip --password "insert password here" ./victim-files.zip ./*
      echo "encrypting file with gpg, you will need to provide a password"
      gpg -c /tmp/victim-files/victim-filex.zip
      #<enter passphrase and confirm>
      ls -l
    cleanup_command: |
      rm -Rf /tmp/victim-files

- name: Compress Data and lock with password for Exfiltration with winrar
  description: |
    Note: Requires winrar installation
    rar a -p"blue" hello.rar (VARIANT)
  supported_platforms:
    - windows
  executor:
    name: command_prompt
    elevation_required: false
    command: |
      mkdir .\tmp\victim-files
      cd .\tmp\victim-files
      echo "This file will be encrypted" > .\encrypted_file.txt
      rar a -hp"blue" hello.rar
      dir

- name: Compress Data and lock with password for Exfiltration with winzip
  description: |
    Note: Requires winzip installation
    wzzip sample.zip -s"blueblue" *.txt (VARIANT)
  supported_platforms:
    - windows

  input_arguments:
    winzip_exe:
      description: Path to installed Winzip executable
      type: Path
      default: "%ProgramFiles%\\WinZip\\winzip64.exe"
    winzip_url:
      description: Path to download Windows Credential Editor zip file
      type: url
      default: https://download.winzip.com/gl/nkln/winzip24-home.exe
    winzip_hash:
      description: File hash of the Windows Credential Editor zip file
      type: String
      default: B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB

  dependency_executor_name: powershell
  dependencies:
    - description: |
        Winzip must be installed
      prereq_command: |
        cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)'
      get_prereq_command: |
        if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
          Write-Host Follow the installation prompts to continue
          cmd /c "$env:Temp\winzip.exe"
        }

  executor:
    name: command_prompt
    elevation_required: false
    command: |
      path=%path%;"C:\Program Files (x86)\winzip"
      mkdir .\tmp\victim-files
      cd .\tmp\victim-files
      echo "This file will be encrypted" > .\encrypted_file.txt
      "#{winzip_exe}" -min -a -s"hello" archive.zip *
      dir

- name: Compress Data and lock with password for Exfiltration with 7zip
  description: |
    Note: Requires 7zip installation
  supported_platforms:
    - windows
  executor:
    name: command_prompt
    elevation_required: false
    command: |
      mkdir $PathToAtomicsFolder\T1022\victim-files
      cd $PathToAtomicsFolder\T1022\victim-files
      echo "This file will be encrypted" > .\encrypted_file.txt
      7z a archive.7z -pblue
      dir