atc-project · WildDogOne · May 25, 2022 · May 25, 2022 · May 25, 2022 · May 25, 2022
diff --git a/.travis.yml b/.travis.yml
@@ -1,7 +1,7 @@
 dist: xenial
 language: python
 python:
- - "3.7"
+  - "3.7"
 
 install: pip install -r requirements.txt
 

diff --git a/Atomic_Threat_Coverage/Triggers/T1002.md b/Atomic_Threat_Coverage/Triggers/T1002.md
@@ -1,5 +1,7 @@
 # T1002 - Data Compressed
+
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
+
 <blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.</blockquote>
 
 ## Atomic Tests
@@ -14,54 +16,48 @@
 
 - [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file)
 
-
 <br/>
 
 ## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
+
 An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
-When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1002-data-ps.zip in the $env:USERPROFILE directory 
+When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called
+T1002-data-ps.zip in the $env:USERPROFILE directory
 
 **Supported Platforms:** Windows
 
-
-
-
 #### Inputs:
+
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_file | Path that should be compressed into our output file | Path | $env:USERPROFILE|
 | output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE&#92;T1002-data-ps.zip|
 
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!
 
 ```powershell
 dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
 ```
 
 #### Cleanup Commands:
+
 ```powershell
 Remove-Item -path #{output_file} -ErrorAction Ignore
 ```
 
-
-
-
-
 <br/>
 <br/>
 
 ## Atomic Test #2 - Compress Data for Exfiltration With Rar
+
 An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
-When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1002-data.rar in the %USERPROFILE% directory 
+When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called
+T1002-data.rar in the %USERPROFILE% directory
 
 **Supported Platforms:** Windows
 
-
-
-
 #### Inputs:
+
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_path | Path that should be compressed into our output file | Path | %USERPROFILE%|
@@ -70,162 +66,154 @@ When the test completes you should find the txt files from the %USERPROFILE% dir
 | rar_installer | Winrar installer | Path | %TEMP%&#92;winrar.exe|
 | rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe|
 
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!
 
 ```cmd
 "#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension}
 ```
 
 #### Cleanup Commands:
+
 ```cmd
 del /f /q /s #{output_file} >nul 2>&1
 ```
 
-
-
 #### Dependencies:  Run with `command_prompt`!
+
 ##### Description: Rar tool must be installed at specified location (#{rar_exe})
+
 ##### Check Prereq Commands:
+
 ```cmd
 if not exist "#{rar_exe}" (exit /b 1) 
 ```
+
 ##### Get Prereq Commands:
+
 ```cmd
 echo Downloading Winrar installer
 bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
 echo Follow the installer prompts to install Winrar
 #{rar_installer}
 ```
 
-
-
-
 <br/>
 <br/>
 
 ## Atomic Test #3 - Data Compressed - nix - zip
-An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
-
-**Supported Platforms:** Linux, macOS
-
 
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses
+standard zip compression.
 
+**Supported Platforms:** Linux, macOS
 
 #### Inputs:
+
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt|
 | output_file | Path that should be output as a zip archive | Path | $HOME/data.zip|
 
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!
 
 ```sh
 zip #{output_file} #{input_files}
 ```
 
 #### Cleanup Commands:
+
 ```sh
 rm -f #{output_file}
 ```
 
-
-
 #### Dependencies:  Run with `sh`!
+
 ##### Description: Files to zip must exist (#{input_files})
+
 ##### Check Prereq Commands:
+
 ```sh
 ls #{input_files} 
 ```
+
 ##### Get Prereq Commands:
+
 ```sh
 echo Please set input_files argument to include files that exist
 ```
 
-
-
-
 <br/>
 <br/>
 
 ## Atomic Test #4 - Data Compressed - nix - gzip Single File
-An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
-
-**Supported Platforms:** Linux, macOS
-
 
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses
+standard gzip compression.
 
+**Supported Platforms:** Linux, macOS
 
 #### Inputs:
+
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_file | Path that should be compressed | Path | $HOME/victim-gzip.txt|
 | input_content | contents of compressed files if file does not already exist. default contains test credit card and social security number | String | confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101|
 
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!
 
 ```sh
 test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
 ```
 
 #### Cleanup Commands:
+
 ```sh
 rm -f #{input_file}.gz
 ```
 
-
-
-
-
 <br/>
 <br/>
 
 ## Atomic Test #5 - Data Compressed - nix - tar Folder or File
-An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
-
-**Supported Platforms:** Linux, macOS
-
 
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses
+standard gzip compression.
 
+**Supported Platforms:** Linux, macOS
 
 #### Inputs:
+
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_file_folder | Path that should be compressed | Path | $HOME/$USERNAME|
 | output_file | File that should be output | Path | $HOME/data.tar.gz|
 
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!
 
 ```sh
 tar -cvzf #{output_file} #{input_file_folder}
 ```
 
 #### Cleanup Commands:
+
 ```sh
 rm -f #{output_file}
 ```
 
-
-
 #### Dependencies:  Run with `sh`!
+
 ##### Description: Folder to zip must exist (#{input_file_folder})
+
 ##### Check Prereq Commands:
+
 ```sh
 test -e #{input_file_folder} 
 ```
+
 ##### Get Prereq Commands:
+
 ```sh
 echo Please set input_file_folder argument to a folder that exists
 ```
 
-
-
-
 <br/>