Atomic that mimics recent Qakbot behavior (#1793)

* Atomic that mimics recent Qakbot behavior

* small edits

removed elevation_required, shortened test name, made some readability updates.

Co-authored-by: Wilson <SWilson@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1053.005/T1053.005.yaml

@@ -141,3 +141,25 @@ atomic_tests:
       Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
     cleanup_command: |
       Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1
+- name: Scheduled Task Executing Base64 Encoded Commands From Registry
+  description: |
+    A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created.
+    The scheduled task will launch powershell to decode and run the command in the rgistry daily.
+    This is a persistence mechanism recently seen in use by Qakbot.  
+    
+    [Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    time:
+      description: Daily scheduled task execution time
+      type: string
+      default: 07:45
+  executor:
+    command: |
+      reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
+      schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
+    cleanup_command: |
+      schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
+      reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
+    name: command_prompt