From 381ba9d44973decf67fe1cd2801a00692e1f7a9e Mon Sep 17 00:00:00 2001
From: Luminous-InfiniTom
 <35981510+Luminous-InfiniTom@users.noreply.github.com>
Date: Thu, 27 Feb 2020 12:04:14 -0600
Subject: [PATCH] Create T1219.yaml (#838)

* Create T1219.yaml

Added first atomic for T1219

* spacing corrections

* spacing corrections

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1219/T1219.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 atomics/T1219/T1219.yaml

diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml
new file mode 100644
index 00000000..ea19fba3
--- /dev/null
+++ b/atomics/T1219/T1219.yaml
@@ -0,0 +1,16 @@
+---
+attack_technique: T1219
+display_name: Remote Access Tools
+
+atomic_tests:
+- name: TeamViewer Files Detected Test on Windows
+  description: |
+    An adversary may attempt to trick the user into downloading teamviewer and using  this to maintain access to the machine. 
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $client = new-object System.Net.WebClient
+      $client.DownloadFile("https://download.teamviewer.com/download/TeamViewer_Setup.exe","C:\tmp\teamviewer.exe")