-
Notifications
You must be signed in to change notification settings - Fork 45
/
5c5b0392-1daa-45e1-967c-2f361ce78849.yml
65 lines (65 loc) · 2.89 KB
/
5c5b0392-1daa-45e1-967c-2f361ce78849.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
- id: 5c5b0392-1daa-45e1-967c-2f361ce78849
name: Compress Staged Directory (Password Protected) and Split Into Smaller Chunks
description: |
This ability will compress the staged files into a password protected archive and break it
into smaller chunks based on the given byte size. The original archive will be automatically
deleted. Use this instead of other archiving abilities if small file sizes for exfiltration
are desired. When used with an exfiltration ability, the exfiltration ability will run numerous
times in an operation depending on how many chunks are created.
tactic: exfiltration
technique:
attack_id: T1030
name: Data Transfer Size Limits
platforms:
linux:
sh:
command: |
tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase '#{host.archive.password}' > #{host.dir.staged}.tar.gz.gpg;
split -b#{file.size.chunk} '#{host.dir.staged}.tar.gz.gpg' '#{host.dir.staged}'/calderachunk;
rm '#{host.dir.staged}.tar.gz.gpg';
find '#{host.dir.staged}' -maxdepth 1 -name 'calderachunk*' 2>/dev/null;
cleanup: |
find '#{host.dir.staged}' -maxdepth 1 -name 'calderachunk*' -exec rm -rf {} \;
parsers:
plugins.stockpile.app.parsers.basic:
- source: host.dir.compress
windows:
psh:
command: |
& "C:\Program Files\7-Zip\7z.exe" a "#{host.dir.staged}.7z" "#{host.dir.staged}\*" '-p#{host.archive.password}' | Out-Null;
sleep 2;
$Archive = Get-Item -Path "#{host.dir.staged}.7z";
$StageDir = "#{host.dir.staged}";
$BaseName = $StageDir + "\calderachunk";
$UpperBound = [int32]"#{file.size.chunk}";
$Content = [IO.File]::OpenRead($Archive);
$buff = New-Object byte[] $UpperBound;
$Bytes = $idx = 0;
try {
do {
$Bytes = $Content.Read($buff, 0, $buff.Length);
if ($Bytes -gt 0) {
$ChunkName = "{0}{1}" -f ($BaseName, $idx.ToString().PadLeft(3,'0'));
$ChunkFile = [IO.File]::OpenWrite($ChunkName);
try {
$ChunkFile.Write($buff, 0, $Bytes);
} finally {
$ChunkFile.Close();
}
}
$idx ++;
} while ($Bytes -gt 0)
}
finally {
$Content.Close();
}
Remove-Item $Archive;
Get-ChildItem -Path "$StageDir\calderachunk*" | foreach {$_.FullName} | Select-Object;
cleanup: |
Get-ChildItem -Path "$StageDir\calderachunk*" | Remove-Item;
parsers:
plugins.stockpile.app.parsers.basic:
- source: host.dir.compress
requirements:
- plugins.stockpile.app.requirements.paw_provenance:
- source: host.dir.staged