From b6508a417b23efae3a9d3460235b1c481c71ea64 Mon Sep 17 00:00:00 2001
From: Bakeneko <68653785+RandomLinoge@users.noreply.github.com>
Date: Fri, 19 Sep 2025 22:17:17 +0000
Subject: [PATCH] Update T1491.001.yaml (#3184)

---
 atomics/T1491.001/T1491.001.yaml | 78 ++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

diff --git a/atomics/T1491.001/T1491.001.yaml b/atomics/T1491.001/T1491.001.yaml
index 78ba03b2..1fbac6f1 100644
--- a/atomics/T1491.001/T1491.001.yaml
+++ b/atomics/T1491.001/T1491.001.yaml
@@ -153,3 +153,81 @@ atomic_tests:
     name: command_prompt
     elevation_required: false
 
+- name: Windows - Display a simulated ransom note via Notepad (non-destructive)
+  description: |
+    Creates a temporary ransom-note text file and opens it in Notepad to
+    simulate ransomware "note display" behavior without making destructive
+    changes. SAFE and non-destructive.
+  supported_platforms:
+    - windows
+  input_arguments:
+    note_filename:
+      description: File name for the simulated ransom note
+      type: string
+      default: "ART-T1491-ransom-note.txt"
+    pid_filename:
+      description: File name for storing Notepad PID
+      type: string
+      default: "ART-T1491-notepad.pid"
+    note_title:
+      description: Title at the top of the ransom note
+      type: string
+      default: "!!! READ_ME_NOW !!!"
+    note_body:
+      description: The body of the ransom note (plain text)
+      type: string
+      default: |
+        Your files are SAFE. This is a TEST note for detection validation
+        by bak3n3k0. No data has been encrypted. This simulation exercises
+        detections for:
+          - notepad.exe launched with a ransom-themed text file
+          - creation of a ransom-themed text file in %TEMP%
+        NON-DESTRUCTIVE Atomic Red Team test.
+  dependencies:
+    - description: Notepad must be present on the system
+      dependency_executor_name: command_prompt
+      prereq_command: "where notepad"
+      get_prereq_command: ""
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $notePath = Join-Path $env:TEMP "#{note_filename}"
+      $pidPath  = Join-Path $env:TEMP "#{pid_filename}"
+
+      $Title = "#{note_title}"
+      $Body  = "#{note_body}"
+
+      $header  = $Title + "`r`n" + ('=' * $Title.Length) + "`r`n`r`n"
+      $content = $header + $Body
+
+      [System.IO.File]::WriteAllText($notePath, $content, [System.Text.Encoding]::UTF8)
+
+      $p = Start-Process notepad.exe -ArgumentList "`"$notePath`"" -PassThru
+      $p.Id | Out-File -FilePath $pidPath -Encoding ascii -Force
+    cleanup_command: |
+      try {
+        # 1. Kill all Notepad processes
+        Get-Process notepad -ErrorAction SilentlyContinue |
+          ForEach-Object {
+            Stop-Process -Id $_.Id -Force -ErrorAction SilentlyContinue
+          }
+
+        # 2. Wait briefly for Windows to release file handles
+        Start-Sleep -Seconds 1
+
+        # 3. Force delete ransom note + PID file
+        $notePath = Join-Path $env:TEMP "ART-T1491-ransom-note.txt"
+        $pidPath  = Join-Path $env:TEMP "ART-T1491-notepad.pid"
+
+        if (Test-Path $notePath) {
+          Remove-Item $notePath -Force -ErrorAction Stop
+        }
+        if (Test-Path $pidPath) {
+          Remove-Item $pidPath -Force -ErrorAction Stop
+        }
+      }
+      catch {
+        Write-Warning "Cleanup failed with error: $_"
+      }
+