From 7f2a7db461ab41148607cae9a27cdc6a0cd8a283 Mon Sep 17 00:00:00 2001
From: Scoubi <Scoubi@users.noreply.github.com>
Date: Wed, 6 Sep 2023 13:23:30 -0400
Subject: [PATCH] Update T1564.004.yaml (#2521)

Include a test to test twitter.com/pfiatde/status/1681977680688738305
It creates a directory that you can only access by specifying '::$index_allocation' even if not shown in the name of the folder. It then create a file called 'secrets.txt' to hide information/payloads
---
 atomics/T1564.004/T1564.004.yaml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/atomics/T1564.004/T1564.004.yaml b/atomics/T1564.004/T1564.004.yaml
index 4cc3a8ae..838efcc0 100644
--- a/atomics/T1564.004/T1564.004.yaml
+++ b/atomics/T1564.004/T1564.004.yaml
@@ -115,3 +115,28 @@ atomic_tests:
     cleanup_command: |
       Remove-Item -Path #{file_name} -ErrorAction Ignore
     name: powershell
+
+- name: Create Hidden Directory via $index_allocation 
+  auto_generated_guid: 3e6791e7-232c-481c-a680-a52f86b83fdf
+  description: |
+    Create an Alternate Data Stream Directory and File with the command prompt. Write access is required. Upon execution, 
+    run "dir /A /Q /R" in the %temp% folder to view that the alternate data stream folder exists. To view the data in the  
+    alternate data stream, run "type %temp%\...$.......::$index_allocation\secrets.txt"
+  supported_platforms:
+  - windows
+  input_arguments:
+    folder_name:
+      description: File name of file to create inside the folder.
+      type: string
+      default: '%temp%\...$.......::$index_allocation'
+    hidden_filename:
+      description: Name of the files containing the hidden information
+      type: string
+      default: secrets.txt
+  executor:
+    command: |
+      md #{folder_name}
+      echo too many secrets > #{folder_name}\#{hidden_filename}
+    cleanup_command: |
+      rmdir /S /Q #{folder_name} >nul 2>&1
+    name: command_prompt