From 405c8330fc52d84ff4c710eaae47682590272d5e Mon Sep 17 00:00:00 2001
From: Tsora-Pop <35981510+Tsora-Pop@users.noreply.github.com>
Date: Mon, 4 May 2020 11:47:11 -0500
Subject: [PATCH] Update T1219.yaml (#970)

Added logmein download and execution. updated execution commands to reflect $env:username
---
 atomics/T1219/T1219.yaml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml
index fa61a756..20aef397 100644
--- a/atomics/T1219/T1219.yaml
+++ b/atomics/T1219/T1219.yaml
@@ -13,7 +13,7 @@ atomic_tests:
     elevation_required: true
     command: |
       Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe
-      C:\Users\$CurrentUser\Desktop\TeamViewer_Setup.exe
+      C:\Users\$env:username\Desktop\TeamViewer_Setup.exe
 
 - name: AnyDesk Files Detected Test on Windows
   description: |
@@ -25,4 +25,16 @@ atomic_tests:
     elevation_required: true
     command: |
       Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\AnyDesk.exe https://download.anydesk.com/AnyDesk.exe
-      C:\Users\$CurrentUser\Desktop\AnyDesk.exe
+      C:\Users\$env:username\Desktop\AnyDesk.exe
+
+- name: LogMeIn Files Detected Test on Windows
+  description: |
+    An adversary may attempt to trick the user into downloading LogMeIn and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed.
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\LogMeInIgnition.msi https://secure.logmein.com/LogMeInIgnition.msi
+      C:\Users\$env:username\Desktop\LogMeInIgnition.msi