From 934aaa1435aa5fe93ebfb2c70c1858fac6facb80 Mon Sep 17 00:00:00 2001
From: Andrew Beers <apbeers@icloud.com>
Date: Tue, 19 Nov 2019 14:13:45 -0800
Subject: [PATCH] T1023 LNK file to launch CMD placed in startup folders (#674)

* put lnk files in startup folder

* fix typo
---
 atomics/T1023/T1023.yaml | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/atomics/T1023/T1023.yaml b/atomics/T1023/T1023.yaml
index 38fda3f9..eeedfda8 100644
--- a/atomics/T1023/T1023.yaml
+++ b/atomics/T1023/T1023.yaml
@@ -5,8 +5,8 @@ display_name: Shortcut Modification
 atomic_tests:
 - name: Shortcut Modification
   description: |
-    This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;  
-    gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL 
+    This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;
+    gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL
 
   supported_platforms:
     - windows
@@ -23,3 +23,30 @@ atomic_tests:
     command: |
       echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path}
 
+- name: Create shortcut to cmd in startup folders
+  description: |
+    LNK file to launch CMD placed in startup folder
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      $Shell = New-Object -ComObject ("WScript.Shell")
+      $ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk")
+      $ShortCut.TargetPath="cmd.exe"
+      $ShortCut.WorkingDirectory = "C:\Windows\System32";
+      $ShortCut.WindowStyle = 1;
+      $ShortCut.Description = "T1023.";
+      $ShortCut.Save()
+
+      $Shell = New-Object -ComObject ("WScript.Shell")
+      $ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk")
+      $ShortCut.TargetPath="cmd.exe"
+      $ShortCut.WorkingDirectory = "C:\Windows\System32";
+      $ShortCut.WindowStyle = 1;
+      $ShortCut.Description = "T1023.";
+      $ShortCut.Save()
+    cleanup_command: |
+      Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk"
+      Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk"