From 0f77fd91fbe2c7592eabfa86e5f0836315ec20ff Mon Sep 17 00:00:00 2001
From: dwhite9 <daniel.shane.white@gmail.com>
Date: Tue, 5 Nov 2019 13:07:15 -0600
Subject: [PATCH] Update T1036.yaml (#609)

* Adding T1086 Alternate Data Stream atomic

* Added newline T1086

* Syncing changes with updstream and origin.

* Added Cleanup to Logon Scripts Atomic T1037

* Added timout to allow time for detection logic to register change.

* Fixed issue with upstream sync,  Re-added timout to allow time for detection logic.

* Fixed cleanup command. Yaml tag not working to allow it to run.

* Update T1158 test 11.

Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.

* Update T1037.yaml

Moved Reg delete command under the cleanup_command tag for consistency.

* Update T1037.yaml

Moved reg removal command under cleanup_command tag for consistency.

* Update T1086.yaml

Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.

Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.

* Update T1036.yaml

Added Cleanup commands for the windows tests
---
 atomics/T1036/T1036.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml
index 80aaf8b1..ce95e83e 100644
--- a/atomics/T1036/T1036.yaml
+++ b/atomics/T1036/T1036.yaml
@@ -16,6 +16,8 @@ atomic_tests:
     command: |
       cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
       cmd.exe /c %SystemRoot%\Temp\lsass.exe
+    cleanup_command: |
+      del /Q /F %SystemRoot%\Temp\lsass.exe
 
 - name: Masquerading as Linux crond process.
   description: |
@@ -44,6 +46,8 @@ atomic_tests:
     command: |
       copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
       cmd.exe /c %APPDATA%\notepad.exe /B
+    cleanup_command: |
+      del /Q /F %APPDATA%\notepad.exe
 
 - name: Masquerading - wscript.exe running as svchost.exe 
   description: |
@@ -58,6 +62,8 @@ atomic_tests:
     command: |
       copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
       cmd.exe /c %APPDATA%\svchost.exe /B
+    cleanup_command: |
+      del /Q /F %APPDATA%\svchost.exe
 
 - name: Masquerading - powershell.exe running as taskhostw.exe 
   description: |
@@ -72,3 +78,5 @@ atomic_tests:
     command: |
       copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
       cmd.exe /K %APPDATA%\taskhostw.exe
+    cleanup_command: |
+      del /Q /F %APPDATA%\taskhostw.exe