Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

changed if statement to not fail when variable is unassigned #234

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .travis.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
dist: xenial
language: python
python:
- "3.7"
- "3.7"

install: pip install -r requirements.txt

Expand Down
106 changes: 47 additions & 59 deletions Atomic_Threat_Coverage/Triggers/T1002.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# T1002 - Data Compressed

## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)

<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.</blockquote>

## Atomic Tests
Expand All @@ -14,54 +16,48 @@

- [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file)


<br/>

## Atomic Test #1 - Compress Data for Exfiltration With PowerShell

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1002-data-ps.zip in the $env:USERPROFILE directory
When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called
T1002-data-ps.zip in the $env:USERPROFILE directory

**Supported Platforms:** Windows




#### Inputs:

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | $env:USERPROFILE|
| output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE&#92;T1002-data-ps.zip|


#### Attack Commands: Run with `powershell`!

#### Attack Commands: Run with `powershell`!

```powershell
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
```

#### Cleanup Commands:

```powershell
Remove-Item -path #{output_file} -ErrorAction Ignore
```





<br/>
<br/>

## Atomic Test #2 - Compress Data for Exfiltration With Rar

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1002-data.rar in the %USERPROFILE% directory
When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called
T1002-data.rar in the %USERPROFILE% directory

**Supported Platforms:** Windows




#### Inputs:

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_path | Path that should be compressed into our output file | Path | %USERPROFILE%|
Expand All @@ -70,162 +66,154 @@ When the test completes you should find the txt files from the %USERPROFILE% dir
| rar_installer | Winrar installer | Path | %TEMP%&#92;winrar.exe|
| rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe|


#### Attack Commands: Run with `command_prompt`!

#### Attack Commands: Run with `command_prompt`!

```cmd
"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension}
```

#### Cleanup Commands:

```cmd
del /f /q /s #{output_file} >nul 2>&1
```



#### Dependencies: Run with `command_prompt`!

##### Description: Rar tool must be installed at specified location (#{rar_exe})

##### Check Prereq Commands:

```cmd
if not exist "#{rar_exe}" (exit /b 1)
```

##### Get Prereq Commands:

```cmd
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
echo Follow the installer prompts to install Winrar
#{rar_installer}
```




<br/>
<br/>

## Atomic Test #3 - Data Compressed - nix - zip
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.

**Supported Platforms:** Linux, macOS


An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses
standard zip compression.

**Supported Platforms:** Linux, macOS

#### Inputs:

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt|
| output_file | Path that should be output as a zip archive | Path | $HOME/data.zip|


#### Attack Commands: Run with `sh`!

#### Attack Commands: Run with `sh`!

```sh
zip #{output_file} #{input_files}
```

#### Cleanup Commands:

```sh
rm -f #{output_file}
```



#### Dependencies: Run with `sh`!

##### Description: Files to zip must exist (#{input_files})

##### Check Prereq Commands:

```sh
ls #{input_files}
```

##### Get Prereq Commands:

```sh
echo Please set input_files argument to include files that exist
```




<br/>
<br/>

## Atomic Test #4 - Data Compressed - nix - gzip Single File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

**Supported Platforms:** Linux, macOS


An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses
standard gzip compression.

**Supported Platforms:** Linux, macOS

#### Inputs:

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed | Path | $HOME/victim-gzip.txt|
| input_content | contents of compressed files if file does not already exist. default contains test credit card and social security number | String | confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101|


#### Attack Commands: Run with `sh`!

#### Attack Commands: Run with `sh`!

```sh
test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
```

#### Cleanup Commands:

```sh
rm -f #{input_file}.gz
```





<br/>
<br/>

## Atomic Test #5 - Data Compressed - nix - tar Folder or File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.

**Supported Platforms:** Linux, macOS


An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses
standard gzip compression.

**Supported Platforms:** Linux, macOS

#### Inputs:

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file_folder | Path that should be compressed | Path | $HOME/$USERNAME|
| output_file | File that should be output | Path | $HOME/data.tar.gz|


#### Attack Commands: Run with `sh`!

#### Attack Commands: Run with `sh`!

```sh
tar -cvzf #{output_file} #{input_file_folder}
```

#### Cleanup Commands:

```sh
rm -f #{output_file}
```



#### Dependencies: Run with `sh`!

##### Description: Folder to zip must exist (#{input_file_folder})

##### Check Prereq Commands:

```sh
test -e #{input_file_folder}
```

##### Get Prereq Commands:

```sh
echo Please set input_file_folder argument to a folder that exists
```




<br/>
Loading