From aeeba08bbcdc79cad97a3c90994e4ec0212fb819 Mon Sep 17 00:00:00 2001
From: Andrew Beers <apbeers@icloud.com>
Date: Mon, 18 Nov 2019 07:50:36 -0800
Subject: [PATCH] Reach out to C2 Pointer URLs via command line (#644)

* add urls and create test folder

* make test more realistic, cleanup command still broken

* use C drive instead of Temp because of permissions

* update paths

* update descriptions
---
 atomics/T1102/T1102.yaml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 atomics/T1102/T1102.yaml

diff --git a/atomics/T1102/T1102.yaml b/atomics/T1102/T1102.yaml
new file mode 100644
index 00000000..2aafb725
--- /dev/null
+++ b/atomics/T1102/T1102.yaml
@@ -0,0 +1,34 @@
+---
+attack_technique: T1102
+display_name: Web Service
+
+atomic_tests:
+- name: Reach out to C2 Pointer URLs via command_prompt
+  description: |
+    Download data from a public website using command line
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsadmindownload.html
+    cleanup_command: |
+      del %TEMP%\bitsadmindownload.html
+
+
+- name: Reach out to C2 Pointer URLs via powershell
+  description: |
+    Multiple download methods for files using powershell
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Invoke-WebRequest -Uri www.twitter.com
+      $T1102 = (New-Object System.Net.WebClient).DownloadData("https://www.reddit.com/")
+      $wc = New-Object System.Net.WebClient
+      $T1102 = $wc.DownloadString("https://www.aol.com/")
+    cleanup_command: |
+      Clear-Variable T1102