Added T1036.005 test: Masquerading cmd.exe as VSDetector.exe by Furka… (#3159)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1036.005/T1036.005.yaml

@@ -1,13 +1,15 @@
+---
 attack_technique: T1036.005
 display_name: 'Masquerading: Match Legitimate Name or Location'
+
 atomic_tests:
-- name: Execute a process from a directory masquerading as the current parent directory.
+- name: Execute a process from a directory masquerading as the current parent directory
   auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
   description: |
     Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
   supported_platforms:
-  - macos
-  - linux
+    - macos
+    - linux
   input_arguments:
     test_message:
       description: Test message to echo out to the screen
@@ -23,12 +25,13 @@ atomic_tests:
     cleanup_command: |
       rm -f $HOME/.../sh
       rmdir $HOME/.../
+
 - name: Masquerade as a built-in system executable
   auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
   description: |
     Launch an executable that attempts to masquerade as a legitimate executable.
   supported_platforms:
-  - windows
+    - windows
   input_arguments:
     executable_filepath:
       description: File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility.
@@ -48,3 +51,67 @@ atomic_tests:
     cleanup_command: |
       Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
     name: powershell
+
+- name: Masquerading cmd.exe as VEDetector.exe
+  description: |
+    This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
+    The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
+    This technique may be used to evade detection by mimicking legitimate software names or locations.
+
+    **Expected Output:**
+    - A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
+    - SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
+    - Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
+
+    **References:**
+    - [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
+    - [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    ved_path:
+      description: Directory path where VEDetector.exe will be created
+      type: Path
+      default: $env:TEMP
+    source_file:
+      description: Path to the source cmd.exe file
+      type: Path
+      default: $env:SystemRoot\System32\cmd.exe
+
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        The source cmd.exe file must exist on the system.
+      prereq_command: |
+        if (Test-Path "#{source_file}") { exit 0 } else { exit 1 }
+      get_prereq_command: |
+        Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
+        exit 1
+
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      # Copy and rename cmd.exe to VEDetector.exe
+      Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force
+      
+      # Create registry run key for persistence
+      New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force
+      
+      # Start the renamed process
+      Start-Process -FilePath "#{ved_path}\VEDetector.exe"
+      
+      Start-Sleep -Seconds 5
+    cleanup_command: |
+      # Remove registry key
+      Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
+      
+      # Stop the process
+      Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue
+      
+      # Remove the file
+      Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue
+      
+      Write-Host "[+] Cleaned up VEDetector artifacts"