Add lolbin test (#1933)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1040/T1040.yaml

@@ -122,4 +122,33 @@ atomic_tests:
       del %temp%\trace.cab >nul 2>&1
     name: command_prompt
     elevation_required: true
-  
+
+- name: Windows Internal pktmon capture
+  description: |-
+    Will start a packet capture and store log file as t1040.etl.
+    https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      pktmon.exe start --etw  -f %TEMP%\t1040.etl
+      TIMEOUT /T 5 >nul 2>&1
+      pktmon.exe stop
+    cleanup_command: |-
+      del %TEMP%\t1040.etl
+    name: command_prompt
+    elevation_required: true  
+ 
+- name: Windows Internal pktmon set filter
+  description: |-
+    Select Desired ports for packet capture 
+    https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      pktmon.exe filter add -p 445
+    cleanup_command: |-
+      pktmon filter remove
+    name: command_prompt
+    elevation_required: true 

atomics/T1105/T1105.yaml

@@ -553,6 +553,7 @@ atomic_tests:
       del /f/s/q %temp%\T1105 >nul 2>&1
       rmdir /s/q %temp%\T1105 >nul 2>&1
     name: command_prompt
+
 - name: MAZE Propagation Script
   auto_generated_guid: 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
   description: |
@@ -609,3 +610,25 @@ atomic_tests:
       Remove-Item -path "$env:temp\T1105OfflineHosts.txt" -erroraction silentlycontinue
       Remove-item -path "$env:temp\T1105CompletedHosts.txt" -erroraction silentlycontinue
     name: powershell
+
+- name: Printer Migration Command-Line Tool UNC share folder into a zip file
+  description: |
+    Create a ZIP file from a folder in a remote drive
+  supported_platforms:
+    - windows
+  input_arguments:
+    Path_unc:
+      description: Path to the UNC folder
+      type: Path
+      default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\
+    Path_PrintBrm:
+      description: Path to PrintBrm.exe
+      type: Path
+      default: C:\Windows\System32\spool\tools\PrintBrm.exe
+  executor:
+    command: |
+      del %TEMP%\PrintBrm.zip >nul 2>&1 
+      #{Path_PrintBrm} -b -d #{Path_unc}  -f %TEMP%\PrintBrm.zip -O FORCE
+    cleanup_command: |
+      del %TEMP%\PrintBrm.zip >nul 2>&1
+    name: command_prompt

atomics/T1127/T1127.yaml

@@ -0,0 +1,78 @@
+attack_technique: T1127
+display_name: 'Trusted Developer Utilities Proxy Execution'
+atomic_tests:
+- name: Lolbin Jsc.exe compile javascript to exe
+  description: |
+    Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
+    https://lolbas-project.github.io/lolbas/Binaries/Jsc/
+    https://www.phpied.com/make-your-javascript-a-windows-exe/
+  supported_platforms:
+  - windows
+  input_arguments:
+    filename:
+      description: Location of the project file
+      type: Path
+      default: PathToAtomicsFolder\T1127\src\hello.js
+    jscpath:
+      description: Default location of jsc.exe
+      type: Path
+      default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
+    jscname:
+      description: Default name of jsc
+      type: Path
+      default: jsc.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      JavaScript code file must exist on disk at specified location (#{filename})
+    prereq_command: |
+      if (Test-Path #{filename}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}"
+  executor:
+    command: |
+      copy #{filename} %TEMP%\hello.js
+      #{jscpath}\#{jscname} %TEMP%\hello.js
+    cleanup_command: |
+      del %TEMP%\hello.js
+      del %TEMP%\hello.exe
+    name: command_prompt
+
+- name: Lolbin Jsc.exe compile javascript to dll
+  description: |
+    Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
+    https://lolbas-project.github.io/lolbas/Binaries/Jsc/
+    https://www.phpied.com/make-your-javascript-a-windows-exe/
+  supported_platforms:
+  - windows
+  input_arguments:
+    filename:
+      description: Location of the project file
+      type: Path
+      default: PathToAtomicsFolder\T1127\src\LibHello.js
+    jscpath:
+      description: Default location of jsc.exe
+      type: Path
+      default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
+    jscname:
+      description: Default name of jsc
+      type: Path
+      default: jsc.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      JavaScript code file must exist on disk at specified location (#{filename})
+    prereq_command: |
+      if (Test-Path #{filename}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}"
+  executor:
+    command: |
+      copy #{filename} %TEMP%\LibHello.js
+      #{jscpath}\#{jscname} /t:library %TEMP%\LibHello.js
+    cleanup_command: |
+      del %TEMP%\LibHello.js
+      del %TEMP%\LibHello.dll
+    name: command_prompt  

atomics/T1127/src/LibHello.js

@@ -0,0 +1,9 @@
+package LibHello {
+    class Hello {
+        function say() {
+            var d = new Date();
+            var n = Math.random();
+            return 'Hello, \\ntoday is ' + d + '\\nand this is random - ' + n;
+        }
+    }
+}

atomics/T1127/src/hello.js

@@ -0,0 +1,3 @@
+var d = new Date();
+var n = Math.random();
+print('Hello, \\ntoday is ' + d + '\\nand this is random - ' + n);

atomics/T1218/T1218.yaml

@@ -283,3 +283,25 @@ atomic_tests:
     cleanup_command: |-
       taskkill /f /im calculator.exe > nul 2>&1
     name: command_prompt 
+- name: Lolbin Gpscript logon option
+  description: |
+    Executes logon scripts configured in Group Policy.
+    https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
+    https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
+  supported_platforms:
+    - windows
+  executor:
+    command: |
+      Gpscript /logon
+    name: command_prompt
+- name: Lolbin Gpscript startup option
+  description: |
+    Executes startup scripts configured in Group Policy
+    https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
+    https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
+  supported_platforms:
+    - windows
+  executor:
+    command: |
+      Gpscript /startup
+    name: command_prompt