diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 8f0acce5..9acd2680 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -18,6 +18,8 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #4 - Modify registry to store logon credentials](#atomic-test-4---modify-registry-to-store-logon-credentials)
+- [Atomic Test #5 - Modify registry to store PowerShell code](#atomic-test-5---modify-registry-to-store-powershell-code)
+
@@ -139,3 +141,34 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
```
+
+
+## Atomic Test #5 - Modify registry to store PowerShell code
+Sets Windows Registry key containing base64-encoded PowerShell code.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
+| registry_key_storage | Windows Registry Key to store code | String | HKCU:Software\Microsoft\Windows\CurrentVersion|
+| registry_entry_storage | Windows Registry entry to store code under key | String | Debug|
+
+#### Run it with `powershell`!
+```
+$OriginalCommand = '#{powershell_command}'
+$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
+$EncodedCommand =[Convert]::ToBase64String($Bytes)
+$EncodedCommand
+Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
+```
+
+
+#### Cleanup Commands:
+```
+Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
+```
+
+
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 85346e63..204b2e27 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -100,3 +100,33 @@ atomic_tests:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
cleanup_command: |
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f
+
+- name: Modify registry to store PowerShell code
+ description: |
+ Sets Windows Registry key containing base64-encoded PowerShell code.
+ supported_platforms:
+ - windows
+ input_arguments:
+ powershell_command:
+ description: PowerShell command to encode
+ type: String
+ default: Write-Host "Hey, Atomic!"
+ registry_key_storage:
+ description: Windows Registry Key to store code
+ type: String
+ default: HKCU:Software\Microsoft\Windows\CurrentVersion
+ registry_entry_storage:
+ description: Windows Registry entry to store code under key
+ type: String
+ default: Debug
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ $OriginalCommand = '#{powershell_command}'
+ $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
+ $EncodedCommand =[Convert]::ToBase64String($Bytes)
+ $EncodedCommand
+ Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
+ cleanup_command: |
+ Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
\ No newline at end of file
diff --git a/atomics/index.md b/atomics/index.md
index 631cf15a..cca10781 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -305,6 +305,7 @@
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify Registry of Another User Profile [windows]
- Atomic Test #4: Modify registry to store logon credentials [windows]
+ - Atomic Test #5: Modify registry to store PowerShell code [windows]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index c1fced15..7ed1c534 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -9256,6 +9256,37 @@ defense-evasion:
/v UseLogonCredential /t REG_DWORD /d 0 /f
'
+ - name: Modify registry to store PowerShell code
+ description: 'Sets Windows Registry key containing base64-encoded PowerShell
+ code.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ powershell_command:
+ description: PowerShell command to encode
+ type: String
+ default: Write-Host "Hey, Atomic!"
+ registry_key_storage:
+ description: Windows Registry Key to store code
+ type: String
+ default: HKCU:Software\Microsoft\Windows\CurrentVersion
+ registry_entry_storage:
+ description: Windows Registry entry to store code under key
+ type: String
+ default: Debug
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ $OriginalCommand = '#{powershell_command}'
+ $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
+ $EncodedCommand =[Convert]::ToBase64String($Bytes)
+ $EncodedCommand
+ Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
+ cleanup_command: 'Remove-ItemProperty -Force -Path -Path #{registry_key_storage}
+ -Name #{registry_entry_storage}'
T1170:
technique:
x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index e9e86144..7cfa78a3 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -102,6 +102,7 @@
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify Registry of Another User Profile [windows]
- Atomic Test #4: Modify registry to store logon credentials [windows]
+ - Atomic Test #5: Modify registry to store PowerShell code [windows]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]