From 1b2bf832c3181acf12033d89d7d9fb70e65cd8ec Mon Sep 17 00:00:00 2001
From: Andrew Beers <apbeers@icloud.com>
Date: Wed, 20 May 2020 08:43:35 -0500
Subject: [PATCH] T1036 file extension masquerading fix (#999)

* change executer to help with writing detection

* putting guid back in

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1036/T1036.yaml                 | 56 ++++++++++++------------
 atomics/T1036/src/T1036_masquerading.ps1 |  2 +-
 atomics/T1036/src/T1036_masquerading.vbs |  3 +-
 3 files changed, 30 insertions(+), 31 deletions(-)

diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml
index f7a2e77f..b8255e2d 100644
--- a/atomics/T1036/T1036.yaml
+++ b/atomics/T1036/T1036.yaml
@@ -205,35 +205,35 @@ atomic_tests:
       default: PathToAtomicsFolder\T1036\src\T1036_masquerading.ps1
 
   executor:
-    name: powershell
+    name: command_prompt
     elevation_required: false
     command: |
-      Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.docx.exe -Force
-      Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.pdf.exe -Force
-      Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.ps1.exe -Force
-      Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.xls.vbs -Force
-      Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.xlsx.vbs -Force
-      Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.png.vbs -Force
-      Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.vbs.ps1 -Force
-      Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.exe.ps1 -Force
-      Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.js.ps1 -Force
-      Invoke-Expression $env:TEMP\T1036_masquerading.docx.exe
-      Invoke-Expression $env:TEMP\T1036_masquerading.pdf.exe
-      Invoke-Expression $env:TEMP\T1036_masquerading.ps1.exe
-      Invoke-Expression $env:TEMP\T1036_masquerading.xls.vbs
-      Invoke-Expression $env:TEMP\T1036_masquerading.xlsx.vbs
-      Invoke-Expression $env:TEMP\T1036_masquerading.png.vbs
-      Invoke-Expression $env:TEMP\T1036_masquerading.vbs.ps1
-      Invoke-Expression $env:TEMP\T1036_masquerading.exe.ps1
-      Invoke-Expression $env:TEMP\T1036_masquerading.js.ps1
+      copy #{exe_path} %temp%\T1036_masquerading.docx.exe /Y
+      copy #{exe_path} %temp%\T1036_masquerading.pdf.exe /Y
+      copy #{exe_path} %temp%\T1036_masquerading.ps1.exe /Y
+      copy #{vbs_path} %temp%\T1036_masquerading.xls.vbs /Y
+      copy #{vbs_path} %temp%\T1036_masquerading.xlsx.vbs /Y
+      copy #{vbs_path} %temp%\T1036_masquerading.png.vbs /Y
+      copy #{ps1_path} %temp%\T1036_masquerading.doc.ps1 /Y
+      copy #{ps1_path} %temp%\T1036_masquerading.pdf.ps1 /Y
+      copy #{ps1_path} %temp%\T1036_masquerading.rtf.ps1 /Y
+      %temp%\T1036_masquerading.docx.exe
+      %temp%\T1036_masquerading.pdf.exe
+      %temp%\T1036_masquerading.ps1.exe
+      %temp%\T1036_masquerading.xls.vbs
+      %temp%\T1036_masquerading.xlsx.vbs
+      %temp%\T1036_masquerading.png.vbs
+      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.doc.ps1
+      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.pdf.ps1
+      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.rtf.ps1
 
     cleanup_command: |
-      Remove-Item $env:TEMP\T1036_masquerading.docx.exe -Force -ErrorAction Ignore | Out-Null
-      Remove-Item $env:TEMP\T1036_masquerading.pdf.exe -Force -ErrorAction Ignore | Out-Null
-      Remove-Item $env:TEMP\T1036_masquerading.ps1.exe -Force -ErrorAction Ignore | Out-Null
-      Remove-Item $env:TEMP\T1036_masquerading.xls.vbs -Force -ErrorAction Ignore | Out-Null
-      Remove-Item $env:TEMP\T1036_masquerading.xlsx.vbs -Force -ErrorAction Ignore | Out-Null
-      Remove-Item $env:TEMP\T1036_masquerading.png.vbs -Force -ErrorAction Ignore | Out-Null
-      Remove-Item $env:TEMP\T1036_masquerading.vbs.ps1 -Force -ErrorAction Ignore | Out-Null
-      Remove-Item $env:TEMP\T1036_masquerading.exe.ps1 -Force -ErrorAction Ignore | Out-Null
-      Remove-Item $env:TEMP\T1036_masquerading.js.ps1 -Force -ErrorAction Ignore | Out-Null
+      del /f %temp%\T1036_masquerading.docx.exe > nul 2>&1
+      del /f %temp%\T1036_masquerading.pdf.exe > nul 2>&1
+      del /f %temp%\T1036_masquerading.ps1.exe > nul 2>&1
+      del /f %temp%\T1036_masquerading.xls.vbs > nul 2>&1
+      del /f %temp%\T1036_masquerading.xlsx.vbs > nul 2>&1
+      del /f %temp%\T1036_masquerading.png.vbs > nul 2>&1
+      del /f %temp%\T1036_masquerading.doc.ps1 > nul 2>&1
+      del /f %temp%\T1036_masquerading.pdf.ps1 > nul 2>&1
+      del /f %temp%\T1036_masquerading.rtf.ps1 > nul 2>&1
diff --git a/atomics/T1036/src/T1036_masquerading.ps1 b/atomics/T1036/src/T1036_masquerading.ps1
index ae3bc0a9..31d0ccd9 100644
--- a/atomics/T1036/src/T1036_masquerading.ps1
+++ b/atomics/T1036/src/T1036_masquerading.ps1
@@ -1 +1 @@
-exit
\ No newline at end of file
+Exit-PSSession
\ No newline at end of file
diff --git a/atomics/T1036/src/T1036_masquerading.vbs b/atomics/T1036/src/T1036_masquerading.vbs
index 03cfd6a6..cdba9c9c 100644
--- a/atomics/T1036/src/T1036_masquerading.vbs
+++ b/atomics/T1036/src/T1036_masquerading.vbs
@@ -1,2 +1 @@
-Wscript.Echo "T1036_maquerading"
-Wscript.Quit 1
\ No newline at end of file
+Wscript.Quit
\ No newline at end of file