From 691982bbdbe5e1f3285aa13043ac040fbaee0517 Mon Sep 17 00:00:00 2001
From: lexiechong <58893774+lexiechong@users.noreply.github.com>
Date: Mon, 28 Jun 2021 10:46:45 -0500
Subject: [PATCH] T1486-update (#1536)

Co-authored-by: Chong <lchong@NTI.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1486/T1486.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml
index 44f8222c..ecde61fb 100644
--- a/atomics/T1486/T1486.yaml
+++ b/atomics/T1486/T1486.yaml
@@ -162,3 +162,19 @@ atomic_tests:
     cleanup_command: |
       $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}
       rm #{encrypted_file_path}
+
+- name: PureLocker Ransom Note
+  description: |
+    building the IOC (YOUR_FILES.txt) for the PureLocker ransomware 
+    https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    elevation_required: true 
+    command: | 
+      echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
+    cleanup_command: | 
+      del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1