Try it using Invoke-Atomic

Data from Local System

Description from ATT&CK

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.

Atomic Tests

Atomic Test #1 - Search files of interest and save them to a single zip file (Windows)

This test searches for files of certain extensions and saves them to a single zip file prior to extraction.

Supported Platforms: windows

auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c

Inputs:

Name Description Type Default Value
starting_directory Path to starting directory for the search Path C:\Users
output_zip_folder_path Path to directory for saving the generated zip file Path PathToAtomicsFolder..\ExternalPayloads\T1005
file_extensions List of file extensions to be searched and zipped, separated by comma and space string .doc, .docx, .txt

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}" 
$fileExtensions = $fileExtensionsString -split ", "

New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null

Function Search-Files {
  param (
    [string]$directory
  )
  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
    $fileExtensions -contains $_.Extension.ToLower()
  }
  return $files
}

$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
  $foundFilePaths = $foundFiles.FullName
  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"

  Write-Host "Zip file created: $outputZip\data.zip"
  } else {
      Write-Host "No files found with the specified extensions."
  }

Cleanup Commands:

1
2

Remove-Item -Path  $outputZip\data.zip -Force

source