diff --git a/atomics/T1037/T1037.md b/atomics/T1037/T1037.md
index 6e168502..a63a0e6f 100644
--- a/atomics/T1037/T1037.md
+++ b/atomics/T1037/T1037.md
@@ -14,7 +14,11 @@ Mac allows login and logoff hooks to be run as root whenever a specific user log
- [Atomic Test #1 - Logon Scripts](#atomic-test-1---logon-scripts)
-- [Atomic Test #2 - Logon Scripts - Mac](#atomic-test-2---logon-scripts---mac)
+- [Atomic Test #2 - Starup Folder Script](#atomic-test-2---starup-folder-script)
+
+- [Atomic Test #3 - Scheduled Task Startup Script](#atomic-test-3---scheduled-task-startup-script)
+
+- [Atomic Test #4 - Logon Scripts - Mac](#atomic-test-4---logon-scripts---mac)
@@ -44,7 +48,53 @@ REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
-## Atomic Test #2 - Logon Scripts - Mac
+## Atomic Test #2 - Starup Folder Script
+A batch file on startup when placed in the start menu folder
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!
+```
+New-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+Set-Content "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+New-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+Set-Content "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+```
+
+
+#### Cleanup Commands:
+```
+Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+```
+
+
+
+
+## Atomic Test #3 - Scheduled Task Startup Script
+Run an exe on user logon or system startup
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
+```
+schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
+schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
+```
+
+
+#### Cleanup Commands:
+```
+schtasks /delete /tn "T1037_OnLogon" /f
+schtasks /delete /tn "T1037_OnStartup" /f
+```
+
+
+
+
+## Atomic Test #4 - Logon Scripts - Mac
Mac logon script
**Supported Platforms:** macOS
diff --git a/atomics/index.md b/atomics/index.md
index dbc00b07..545e7d2e 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -86,7 +86,9 @@
- T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
- - Atomic Test #2: Logon Scripts - Mac [macos]
+ - Atomic Test #2: Starup Folder Script [windows]
+ - Atomic Test #3: Scheduled Task Startup Script [windows]
+ - Atomic Test #4: Logon Scripts - Mac [macos]
- [T1031 Modify Existing Service](./T1031/T1031.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- [T1128 Netsh Helper DLL](./T1128/T1128.md)
@@ -803,7 +805,9 @@
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
- - Atomic Test #2: Logon Scripts - Mac [macos]
+ - Atomic Test #2: Starup Folder Script [windows]
+ - Atomic Test #3: Scheduled Task Startup Script [windows]
+ - Atomic Test #4: Logon Scripts - Mac [macos]
- [T1075 Pass the Hash](./T1075/T1075.md)
- Atomic Test #1: crackmapexec Pass the Hash [windows]
- [T1097 Pass the Ticket](./T1097/T1097.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 6e0d81aa..e93416c2 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -2880,6 +2880,38 @@ persistence:
/f
'
+ - name: Starup Folder Script
+ description: 'A batch file on startup when placed in the start menu folder
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ New-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+ Set-Content "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+ New-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+ Set-Content "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+ cleanup_command: |
+ Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+ Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+ - name: Scheduled Task Startup Script
+ description: 'Run an exe on user logon or system startup
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: |
+ schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
+ schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
+ cleanup_command: |
+ schtasks /delete /tn "T1037_OnLogon" /f
+ schtasks /delete /tn "T1037_OnStartup" /f
- name: Logon Scripts - Mac
description: 'Mac logon script
@@ -23061,6 +23093,38 @@ lateral-movement:
/f
'
+ - name: Starup Folder Script
+ description: 'A batch file on startup when placed in the start menu folder
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ New-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+ Set-Content "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+ New-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+ Set-Content "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+ cleanup_command: |
+ Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+ Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+ - name: Scheduled Task Startup Script
+ description: 'Run an exe on user logon or system startup
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: |
+ schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
+ schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
+ cleanup_command: |
+ schtasks /delete /tn "T1037_OnLogon" /f
+ schtasks /delete /tn "T1037_OnStartup" /f
- name: Logon Scripts - Mac
description: 'Mac logon script
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index a813fb5e..cf506850 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -34,7 +34,7 @@
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- - Atomic Test #2: Logon Scripts - Mac [macos]
+ - Atomic Test #4: Logon Scripts - Mac [macos]
- [T1150 Plist Modification](./T1150/T1150.md)
- Atomic Test #1: Plist Modification [macos]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -157,7 +157,7 @@
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- - Atomic Test #2: Logon Scripts - Mac [macos]
+ - Atomic Test #4: Logon Scripts - Mac [macos]
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index ae269bb6..71105d2c 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -288,6 +288,8 @@
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
+ - Atomic Test #2: Starup Folder Script [windows]
+ - Atomic Test #3: Scheduled Task Startup Script [windows]
- [T1031 Modify Existing Service](./T1031/T1031.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- [T1128 Netsh Helper DLL](./T1128/T1128.md)
@@ -483,6 +485,8 @@
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
+ - Atomic Test #2: Starup Folder Script [windows]
+ - Atomic Test #3: Scheduled Task Startup Script [windows]
- [T1075 Pass the Hash](./T1075/T1075.md)
- Atomic Test #1: crackmapexec Pass the Hash [windows]
- [T1097 Pass the Ticket](./T1097/T1097.md)