Try it using Invoke-Atomic

Data from Network Shared Drive

Description from ATT&CK

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Atomic Tests

Atomic Test #1 - Copy a sensitive File over Administive share with copy

Copy from sensitive File from the c$ of another LAN computer with copy cmd https://twitter.com/SBousseaden/status/1211636381086339073

Supported Platforms: windows

auto_generated_guid: 6ed67921-1774-44ba-bac6-adb51ed60660

Inputs:

Name Description Type Default Value
remote Remote server name string 127.0.0.1
share_file Remote Path to the file Path Windows\temp\Easter_Bunny.password
local_file Local name string Easter_egg.password

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}

Cleanup Commands:

1
2
del \\#{remote}\C$\#{share_file}
del %TEMP%\#{local_file}

Dependencies: Run with powershell!

Description: Administrative share must exist on #{remote}

Check Prereq Commands:

1
2
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Write-Host 'Please Enable "C$" share on #{remote}'

Description: "\#{remote}\C$#{share_file}" must exist on #{remote}

Check Prereq Commands:

1
2
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Out-File -FilePath "\\#{remote}\C$\#{share_file}"

Atomic Test #2 - Copy a sensitive File over Administive share with Powershell

Copy from sensitive File from the c$ of another LAN computer with powershell https://twitter.com/SBousseaden/status/1211636381086339073

Supported Platforms: windows

auto_generated_guid: 7762e120-5879-44ff-97f8-008b401b9a98

Inputs:

Name Description Type Default Value
remote Remote server name string 127.0.0.1
share_file Remote Path to the file Path Windows\temp\Easter_Bunny.password
local_file Local name string Easter_egg.password

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"

Cleanup Commands:

1
2
Remove-Item -Path "\\#{remote}\C$\#{share_file}"
Remove-Item -Path "$Env:TEMP\#{local_file}"

Dependencies: Run with powershell!

Description: Administrative share must exist on #{remote}

Check Prereq Commands:

1
2
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Write-Host 'Please Enable "C$" share on #{remote}'

Description: "\#{remote}\C$#{share_file}" must exist on #{remote}

Check Prereq Commands:

1
2
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Out-File -FilePath "\\#{remote}\C$\#{share_file}"

source