Merge pull request #1677 from glallen/T1036.006

T1036.006 Adds an automated test for space after filename.
2021-12-07 09:26:51 -07:00
parent 2e0b4540be e66d81e45c
commit 72c7517bea
2 changed files with 21 additions and 3 deletions
@@ -1,7 +1,7 @@
 attack_technique: T1036.006
 display_name: 'Masquerading: Space after Filename'
 atomic_tests:
- name: Space After Filename
+- name: Space After Filename (Manual)
  auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f
  description: |
    Space After Filename
@@ -9,10 +9,27 @@ atomic_tests:
  - macos
  executor:
    steps: |
-      1. 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
+      1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt

      2. mv execute.txt "execute.txt "

      3. ./execute.txt\ 
    name: manual
-
+- name: Space After Filename
+  auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea
+  description: |
+    Space after filename.
+  supported_platforms:
+  - macos
+  - linux
+  executor:
+    name: bash
+    command: |
+      mkdir -p /tmp/atomic-test-T1036.006
+      cd /tmp/atomic-test-T1036.006
+      mkdir -p 'testdirwithspaceend '
+      /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init  '/;\nqx/'.\/init  ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
+      chmod +x 'testdirwithspaceend /init '
+      './testdirwithspaceend /init '
+    cleanup_command:
+      rm -rf /tmp/atomic-test-T1036.006
@@ -821,5 +821,6 @@ f449c933-0891-407f-821e-7916a21a1a6f
 d3eda496-1fc0-49e9-aff5-3bec5da9fa22
 e42d33cd-205c-4acf-ab59-a9f38f6bad9c
 dddd4aca-bbed-46f0-984d-e4c5971c51ea
+b95ce2eb-a093-4cd8-938d-5258cef656ea
 f5aa6543-6cb2-4fae-b9c2-b96e14721713
 df1a55ae-019d-4120-bc35-94f4bc5c4b0a