From 7a411af7f61ffcd28c8c95e0a4d9d7a00fb2729a Mon Sep 17 00:00:00 2001
From: biot-2131 <121760096+biot-2131@users.noreply.github.com>
Date: Sun, 12 Feb 2023 15:14:01 +0000
Subject: [PATCH 1/2] T1059.004 Added two tests

---
 atomics/T1059.004/T1059.004.yaml | 35 ++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml
index dbd5bae4..bd4881aa 100644
--- a/atomics/T1059.004/T1059.004.yaml
+++ b/atomics/T1059.004/T1059.004.yaml
@@ -162,3 +162,38 @@ atomic_tests:
       echo "\$ART=$ART"
       echo -n "$ART" |base64 -d |/bin/bash
       unset ART 
+- name: Change login shell
+  description: |
+    An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user. 
+  supported_platforms:
+    - linux
+  dependencies:
+    - description: |
+      chsh - change login shell, must be installed
+    prereq_command: |
+      if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit 1"; exit 1; fi
+    get_prereq_command: |
+      echo "Automated installer not implemented yet, please install chsh manually"
+  executor:
+    name: bash
+    elevation_required: true 
+    command: |      
+      useradd -s /bin/bash art
+      cat /etc/passwd |grep ^art
+      chsh -s /bin/sh art
+      cat /etc/passwd |grep ^art
+    cleanup_command: | 
+      userdel art
+- name: Environment variable scripts
+  description: |
+    An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
+  supported_platforms:
+    - linux
+  executor:
+    name: bash
+    elevation_required: false 
+    command: |
+      export ART='echo "Atomic Red Team was here... T1059.004"'
+      echo $ART |/bin/bash
+    cleanup_command: | 
+      unset ART
\ No newline at end of file

From a8076269ce499c7fecb0250678e7af6c4e1dccf1 Mon Sep 17 00:00:00 2001
From: Biological Robot <121760096+biot-2131@users.noreply.github.com>
Date: Sun, 12 Feb 2023 15:22:08 +0000
Subject: [PATCH 2/2] Update T1059.004.yaml

---
 atomics/T1059.004/T1059.004.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml
index bd4881aa..7c02fdfb 100644
--- a/atomics/T1059.004/T1059.004.yaml
+++ b/atomics/T1059.004/T1059.004.yaml
@@ -168,7 +168,7 @@ atomic_tests:
   supported_platforms:
     - linux
   dependencies:
-    - description: |
+  - description: |
       chsh - change login shell, must be installed
     prereq_command: |
       if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit 1"; exit 1; fi
@@ -196,4 +196,4 @@ atomic_tests:
       export ART='echo "Atomic Red Team was here... T1059.004"'
       echo $ART |/bin/bash
     cleanup_command: | 
-      unset ART
\ No newline at end of file
+      unset ART