From 85ea448d3b7b5e1af46ca019b373b7807ca5d010 Mon Sep 17 00:00:00 2001
From: Tim Schulz <78771434+automate-tim@users.noreply.github.com>
Date: Mon, 14 Mar 2022 14:07:08 -0400
Subject: [PATCH] Added procedural variation to include PowerShell execution
 and WMIC (#1801)

* Added procedural variation to include PowerShell execution and WMIC

* Removed empty GUID lines

* Changed wmic to only command_prompt instead of powershell and command_prompt

Co-authored-by: Tim Schulz <tim@scythe.io>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1057/T1057.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml
index ee79c755..2142182a 100644
--- a/atomics/T1057/T1057.yaml
+++ b/atomics/T1057/T1057.yaml
@@ -34,4 +34,36 @@ atomic_tests:
     command: |
       tasklist
     name: command_prompt
+- name: Process Discovery - Get-Process
+  description: |
+    Utilize Get-Process PowerShell cmdlet to identify processes.
 
+    Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Get-Process
+    name: powershell
+- name: Process Discovery - get-wmiObject
+  description: |
+    Utilize get-wmiObject PowerShell cmdlet to identify processes.
+
+    Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      get-wmiObject -class Win32_Process
+    name: powershell
+- name: Process Discovery - wmic process
+  description: |
+    Utilize windows management instrumentation to identify processes.
+
+    Upon successful execution, WMIC will execute process to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      wmic process get /format:list
+    name: command_prompt
\ No newline at end of file