From ba45698be796b86e3709785c63cbe53711228aa7 Mon Sep 17 00:00:00 2001
From: George Allen <gallen@carbonblack.com>
Date: Sun, 21 Nov 2021 17:13:14 +0000
Subject: [PATCH 1/4] T1036.006 - add test for space after filename

---
 atomics/T1036.006/T1036.006.yaml | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml
index 1d239842..fc5a7d5d 100644
--- a/atomics/T1036.006/T1036.006.yaml
+++ b/atomics/T1036.006/T1036.006.yaml
@@ -1,7 +1,7 @@
 attack_technique: T1036.006
 display_name: 'Masquerading: Space after Filename'
 atomic_tests:
-- name: Space After Filename
+- name: Space After Filename (Manual)
   auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f
   description: |
     Space After Filename
@@ -9,10 +9,25 @@ atomic_tests:
   - macos
   executor:
     steps: |
-      1. 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
+      1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
 
       2. mv execute.txt "execute.txt "
 
       3. ./execute.txt\ 
     name: manual
-
+- name: Space After Filename
+  description: |
+    Space after filename.
+  supported_platforms:
+  - macos
+  - linux
+  executor:
+    name: bash
+    command: |
+      mkdir -p /tmp/atomic-test-T1036.006
+      cd /tmp/atomic-test-T1036.006
+      mkdir -p 'testdirwithspaceend\ '
+      touch 'testdirwithspaceend\ /testfile\ '
+      echo -e "a\n#modified $(date -Is)\n.\nw\nq\n" | ed 'endspacetestfile\ '
+    cleanup_command:
+      rm -rf /tmp/atomic-test-T1036.006

From 2e055a11b90316f1f065dcfbf35fde92962e9e27 Mon Sep 17 00:00:00 2001
From: George Allen <gallen@carbonblack.com>
Date: Mon, 22 Nov 2021 01:05:59 +0000
Subject: [PATCH 2/4] T1036.006 generate-guids

---
 atomics/T1036.006/T1036.006.yaml | 1 +
 atomics/used_guids.txt           | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml
index fc5a7d5d..0e3c4e15 100644
--- a/atomics/T1036.006/T1036.006.yaml
+++ b/atomics/T1036.006/T1036.006.yaml
@@ -16,6 +16,7 @@ atomic_tests:
       3. ./execute.txt\ 
     name: manual
 - name: Space After Filename
+  auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea
   description: |
     Space after filename.
   supported_platforms:
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 67b6c4df..e424d8d7 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -821,3 +821,4 @@ f449c933-0891-407f-821e-7916a21a1a6f
 d3eda496-1fc0-49e9-aff5-3bec5da9fa22
 e42d33cd-205c-4acf-ab59-a9f38f6bad9c
 dddd4aca-bbed-46f0-984d-e4c5971c51ea
+b95ce2eb-a093-4cd8-938d-5258cef656ea

From 974334e776ff05c8ae6191e30d602540f93f2adf Mon Sep 17 00:00:00 2001
From: George Allen <gallen@carbonblack.com>
Date: Mon, 22 Nov 2021 01:20:43 +0000
Subject: [PATCH 3/4] T1036.006: tweak based on testing

---
 atomics/T1036.006/T1036.006.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml
index 0e3c4e15..6e8752fb 100644
--- a/atomics/T1036.006/T1036.006.yaml
+++ b/atomics/T1036.006/T1036.006.yaml
@@ -27,8 +27,8 @@ atomic_tests:
     command: |
       mkdir -p /tmp/atomic-test-T1036.006
       cd /tmp/atomic-test-T1036.006
-      mkdir -p 'testdirwithspaceend\ '
-      touch 'testdirwithspaceend\ /testfile\ '
-      echo -e "a\n#modified $(date -Is)\n.\nw\nq\n" | ed 'endspacetestfile\ '
+      mkdir -p 'testdirwithspaceend '
+      touch 'testdirwithspaceend /testfile1 '
+      echo -e "a\n#atomic-test T1036.006\n.\nw\nq\n" | ed 'testdirwithspaceend /testfile1 ' &> /dev/null
     cleanup_command:
       rm -rf /tmp/atomic-test-T1036.006

From 50bb3347e26d768b728b5a12dae6af73c7f0606b Mon Sep 17 00:00:00 2001
From: George Allen <gallen@carbonblack.com>
Date: Mon, 22 Nov 2021 03:11:40 +0000
Subject: [PATCH 4/4] T1036.006: adds the actual masquerading part

Added execution, confirmed that the process name shows as `init ` via htop.

Between ART, echo, yaml, bash, &c, I could not just `echo '...' > file` with the
required escaping and had to resort to more drastic measures with `ed`
---
 atomics/T1036.006/T1036.006.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml
index 6e8752fb..14c6f51e 100644
--- a/atomics/T1036.006/T1036.006.yaml
+++ b/atomics/T1036.006/T1036.006.yaml
@@ -28,7 +28,8 @@ atomic_tests:
       mkdir -p /tmp/atomic-test-T1036.006
       cd /tmp/atomic-test-T1036.006
       mkdir -p 'testdirwithspaceend '
-      touch 'testdirwithspaceend /testfile1 '
-      echo -e "a\n#atomic-test T1036.006\n.\nw\nq\n" | ed 'testdirwithspaceend /testfile1 ' &> /dev/null
+      /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init  '/;\nqx/'.\/init  ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
+      chmod +x 'testdirwithspaceend /init '
+      './testdirwithspaceend /init '
     cleanup_command:
       rm -rf /tmp/atomic-test-T1036.006