T1005 Test to Copy Apple Notes Databases via AppleScript (#3051)

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>

atomics/T1005/T1005.yaml

@@ -88,3 +88,20 @@ atomic_tests:
         rm -f $HOME/.art
         rm -f $HOME/gta.db
         rm -f $HOME/sqlite_dump.sh 
+
+- name: Copy Apple Notes database files using AppleScript
+  description: |
+    This command will copy Apple Notes database files using AppleScript as seen in Atomic Stealer.
+  supported_platforms:
+  - macos
+  input_arguments:
+    destination_path:
+      description: Specify the path to copy the database files into.
+      type: path
+      default: /private/tmp
+  executor:
+    command: |-
+      osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
+    cleanup_command: 'rm "#{destination_path}/NoteStore.sqlite*"'
+    name: sh
+    elevation_required: false