diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml index 1d239842..14c6f51e 100644 --- a/atomics/T1036.006/T1036.006.yaml +++ b/atomics/T1036.006/T1036.006.yaml @@ -1,7 +1,7 @@ attack_technique: T1036.006 display_name: 'Masquerading: Space after Filename' atomic_tests: -- name: Space After Filename +- name: Space After Filename (Manual) auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f description: | Space After Filename @@ -9,10 +9,27 @@ atomic_tests: - macos executor: steps: | - 1. 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt + 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt 2. mv execute.txt "execute.txt " 3. ./execute.txt\ name: manual - +- name: Space After Filename + auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea + description: | + Space after filename. + supported_platforms: + - macos + - linux + executor: + name: bash + command: | + mkdir -p /tmp/atomic-test-T1036.006 + cd /tmp/atomic-test-T1036.006 + mkdir -p 'testdirwithspaceend ' + /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null + chmod +x 'testdirwithspaceend /init ' + './testdirwithspaceend /init ' + cleanup_command: + rm -rf /tmp/atomic-test-T1036.006 diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 556998a4..72fa84d2 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -821,5 +821,6 @@ f449c933-0891-407f-821e-7916a21a1a6f d3eda496-1fc0-49e9-aff5-3bec5da9fa22 e42d33cd-205c-4acf-ab59-a9f38f6bad9c dddd4aca-bbed-46f0-984d-e4c5971c51ea +b95ce2eb-a093-4cd8-938d-5258cef656ea f5aa6543-6cb2-4fae-b9c2-b96e14721713 df1a55ae-019d-4120-bc35-94f4bc5c4b0a