From 4f98d55d74f3ec663aefafa5f9733b93b3b79bca Mon Sep 17 00:00:00 2001
From: dwhite9 <daniel.shane.white@gmail.com>
Date: Tue, 8 Oct 2019 13:40:16 -0500
Subject: [PATCH] T1086 - Added Atomic for writing file in alternate data
 stream and simulating code execution. (#582)

* Adding T1086 Alternate Data Stream atomic

* Added newline T1086
---
 atomics/T1086/T1086.yaml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/atomics/T1086/T1086.yaml b/atomics/T1086/T1086.yaml
index 11b5379d..2c095fa9 100644
--- a/atomics/T1086/T1086.yaml
+++ b/atomics/T1086/T1086.yaml
@@ -224,3 +224,29 @@ atomic_tests:
     command: |
       reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
       powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
+
+- name: NTFS Alternate Data Stream Access
+  description: |
+    Creates a file with an alternate data stream and simulates executing that hidden code/file
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    ads_file:
+      description: File created to store Alternate Stream Data
+      type: String
+      default: $env:TEMP\NTFS_ADS.txt
+
+  executor:
+    name: powershell
+    elevation_required: false
+    prereq_command: | # Checks to verify that $env:HOMEDRIVE is an NTFS drive
+      if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS"){0}else{1}
+    command: |
+      Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
+      $streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
+      Invoke-Expression $streamcommand
+    cleanup_command: |
+      Remove:Item #{ads_file}
+      
\ No newline at end of file