From 498aecdb839babeae493aef9a5e4ad525284f60f Mon Sep 17 00:00:00 2001
From: jandress <jandress@users.noreply.github.com>
Date: Fri, 1 Mar 2024 11:22:39 -0800
Subject: [PATCH] New test: T1542.001 - 'UEFI Persistence via Wpbbin.exe File
 Creation' (#2714)

* New test: T1542.001 - 'UEFI Persistence via Wpbbin.exe File Creation'

* Update T1542.001.yaml

---------

Co-authored-by: jandress <1542666+jandress@users.noreply.github.com>
---
 atomics/T1542.001/T1542.001.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 atomics/T1542.001/T1542.001.yaml

diff --git a/atomics/T1542.001/T1542.001.yaml b/atomics/T1542.001/T1542.001.yaml
new file mode 100644
index 00000000..309b463b
--- /dev/null
+++ b/atomics/T1542.001/T1542.001.yaml
@@ -0,0 +1,20 @@
+attack_technique: T1542.001
+display_name: "Pre-OS Boot: System Firmware"
+atomic_tests:
+- name: UEFI Persistence via Wpbbin.exe File Creation
+  description: |
+    Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+    - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+    - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+    - https://github.com/tandasat/WPBT-Builder
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    command: |
+      echo "Creating %systemroot%\wpbbin.exe"      
+      New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
+    cleanup_command: |
+      echo "Removing %systemroot%\wpbbin.exe" 
+      Remove-Item -Path "$env:SystemRoot\System32\wpbbin.exe"
+    elevation_required: true