Create T1025.yaml (#2962)

* Create T1025.yaml * Update T1025.yaml Edit command key structre. --------- Co-authored-by: Bhavin Patel <[email protected]>
redcanaryco · Oct 25, 2024 · e701a4a · e701a4a
1 parent 487dd6f
commit e701a4a
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/atomics/T1025/T1025.yaml b/atomics/T1025/T1025.yaml
@@ -0,0 +1,15 @@
+attack_technique: T1025
+display_name: Data from Removable Media
+atomic_tests:
+- name: Identify Documents on USB and Removable Media via PowerShell
+  description: |
+    This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files 
+    (e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files 
+    matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics 
+    how adversaries might scan for sensitive documents on removable devices for exfiltration or analysis.
+  supported_platforms:
+  - windows
+  executor:
+    name: command_prompt
+    command: |
+      powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"