From 75f452195add6f02fdbb47f3fabc6745b7c871e2 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Mon, 1 Oct 2018 22:53:53 -0500
Subject: [PATCH] T1036 Masquerading (#361)

* T1036 Masquerading

* T1036, not T1306. Duh
---
 atomics/T1036/T1036.yaml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 atomics/T1036/T1036.yaml

diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml
new file mode 100644
index 00000000..218a4461
--- /dev/null
+++ b/atomics/T1036/T1036.yaml
@@ -0,0 +1,30 @@
+---
+attack_technique: T1036
+display_name: Masquerading
+
+atomic_tests:
+- name: Masquerading as Windows LSASS process
+  description: |
+    Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
+      cmd.exe /c %SystemRoot%\Temp\lsass.exe
+
+- name: Masquerading as Linux crond process.
+  description: |
+    Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
+
+  supported_platforms:
+    - linux
+
+  executor:
+    name: sh
+    command: |
+      cp /bin/sh /tmp/crond
+      /tmp/crond