From aca73307fa53f26d06854f8e2eabb6d240d60d27 Mon Sep 17 00:00:00 2001
From: Brian Thacker <neillthacker101@gmail.com>
Date: Mon, 30 Aug 2021 14:52:02 -0500
Subject: [PATCH] Add test "Remove the Zone.Identifier alternate data stream"
 (#1612)

Add test "Remove the Zone.Identifier alternate data stream". Test command removes the zone.identifier. The cleanup command adds the zone.identifier with the id for "internet". Check prereq checks that the test file exists. Get prereq gets the file from the internet and adds the zone.identifier with the id for "internet".
More info:
https://www.howtogeek.com/70012/what-causes-the-file-downloaded-from-the-internet-warning-and-how-can-i-easily-remove-it/
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7
https://www.reddit.com/r/PowerShell/comments/6yyf07/remove_alternate_data_streams/dmrb6zl/

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1553.005/T1553.005.yaml | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml
index e31b4c2a..0f1a8003 100644
--- a/atomics/T1553.005/T1553.005.yaml
+++ b/atomics/T1553.005/T1553.005.yaml
@@ -58,4 +58,34 @@ atomic_tests:
     cleanup_command: |
       Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
       Stop-process -name "hello" -Force -ErrorAction ignore
-    name: powershell
\ No newline at end of file
+    name: powershell
+
+- name: Remove the Zone.Identifier alternate data stream
+  description: |
+    Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
+    Removing this allows more freedom in executing scripts in PowerShell and avoids opening files in protected view.
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_to_download:
+      description: File that will be downloaded to test against.
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/README.md
+    file_path:
+      description: File to have the Zone.Identifier removed.
+      type: String
+      default: '$env:tmp\ReadMe.md'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: A test file with the Zone.Identifier attribute must be present.
+    prereq_command: |
+      if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 }
+    get_prereq_command: |
+      Invoke-WebRequest #{file_to_download} -OutFile #{file_path}
+      Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
+  executor:
+    command: |
+      Unblock-File -Path #{file_path}
+    cleanup_command: |
+      Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
+    name: powershell