From 6f40ae85f5cbbcebe232991a40c8624eae71205a Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Thu, 7 Jan 2021 09:42:43 -0700
Subject: [PATCH] solarigate atomic (#1358)

---
 atomics/T1047/T1047.yaml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml
index 735aea3b..a4456299 100644
--- a/atomics/T1047/T1047.yaml
+++ b/atomics/T1047/T1047.yaml
@@ -106,4 +106,18 @@ atomic_tests:
     cleanup_command: |
       wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
     name: command_prompt
-
+- name: Create a Process using WMI Query and an Encoded Command
+  description: |
+    Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand
+     Powershell -nop -exec bypass -EncodedCommand <encoded command>
+    Where the –EncodedCommand, once decoded, would resemble:
+      Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION
+    The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe
+    You should expect to see notepad.exe running after execution of this test.
+    [Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
+    name: command_prompt