From 8762f3f929db2d4341865e4fa5889477b6959dba Mon Sep 17 00:00:00 2001
From: blackburnjrb <57798228+blackburnjrb@users.noreply.github.com>
Date: Mon, 24 Feb 2020 13:29:51 -0600
Subject: [PATCH] Added Test for OSTAP Worming Activity to T1105 (#836)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1105/T1105.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml
index 66b90e8f..cbb7dcca 100644
--- a/atomics/T1105/T1105.yaml
+++ b/atomics/T1105/T1105.yaml
@@ -259,3 +259,24 @@ atomic_tests:
     cleanup_command: |
       Remove-Item #{destination_path} -Force -ErrorAction Ignore
 
+- name: OSTAP Worming Activity
+  description: |
+    OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.
+  supported_platforms:
+    - windows
+  input_arguments:
+    destination_path:
+      description: Path to create remote file at. Default is local admin share.
+      type: String
+      default: \\localhost\C$
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+       pushd #{destination_path}
+       echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
+       CScript.exe AtomicTestT1105.js //E:JScript
+       del AtomicTestT1105.js /Q
+       del AtomicTestFileT1105.js /Q
+       popd
+       
\ No newline at end of file