From 5996ff29dc08461cbcfcf604a4d2f50837e34a79 Mon Sep 17 00:00:00 2001
From: JimmyAstle <JimmyAstle@users.noreply.github.com>
Date: Thu, 5 Dec 2019 15:17:18 -0500
Subject: [PATCH] Update to T1053 to add Register-ScheduledTask (#707)

New atomic test to include Register-ScheduledTask:
https://docs.microsoft.com/en-us/powershell/module/scheduledtasks/register-scheduledtask?view=win10-ps
---
 atomics/T1053/T1053.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/atomics/T1053/T1053.yaml b/atomics/T1053/T1053.yaml
index d29ec717..ce67c97a 100644
--- a/atomics/T1053/T1053.yaml
+++ b/atomics/T1053/T1053.yaml
@@ -69,3 +69,23 @@ atomic_tests:
     name: command_prompt
     command: |
       SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
+      
+- name: Powershell Cmdlet Scheduled Task
+  description: |
+    Create an atomic scheduled task that leverages native powershell cmdlets. 
+    These could be concidered "fileless" scheduled task creation.
+  supported_platforms:
+    - windows
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $Action = New-ScheduledTaskAction -Execute "calc.exe"
+      $Trigger = New-ScheduledTaskTrigger -AtLogon
+      $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
+      $Set = New-ScheduledTaskSettingsSet
+      $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
+      Register-ScheduledTask AtomicTask -InputObject $object
+    cleanup_command: |
+      Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false