From c2bcb1c2a645d81a218c4e12be710f50eea9e0f0 Mon Sep 17 00:00:00 2001
From: Mohana Shankar D <48013681+msdlearn@users.noreply.github.com>
Date: Tue, 4 Jun 2024 20:09:56 +0530
Subject: [PATCH] Update T1057.yaml (#2791)

New Process discovery atomic using PC hunter

Co-authored-by: Hare Sudhan <code@0x6c.dev>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1057/T1057.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml
index 4f22d553..f541d38b 100644
--- a/atomics/T1057/T1057.yaml
+++ b/atomics/T1057/T1057.yaml
@@ -111,3 +111,27 @@ atomic_tests:
     command: Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
     name: powershell
     elevation_required: true
+- name: Process Discovery - PC Hunter
+  description: PC Hunter is a toolkit with access to hundreds of settings including kernels, kernel modules, processes, network, startup, and more. When abused, this tool can allow threat actors to effectively access sensitive processes, collect system information, and terminate security software.
+  supported_platforms:
+  - windows
+  input_arguments:
+    pchunter64_exe:
+      description: Process hacker installation executables.
+      type: string
+      default: PChunter64.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: PCHunter must be present in device
+    prereq_command: |
+      if (Get-ChildItem -Path C:\ -Include *PCHunter64* -File -Recurse -ErrorAction SilentlyContinue) {exit 0} else {exit 1}
+    get_prereq_command: |-
+      Write-Host Downloading PC Hunter
+      New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://www.snapfiles.com/directdl/PCHunter_free.zip" -OutFile "C:\Temp\ExternalPayloads\PCHunter_free.zip"
+      Expand-Archive -LiteralPath 'C:\Temp\ExternalPayloads\PCHunter_free.zip' -DestinationPath C:\Temp\ExternalPayloads
+      Write-Host Unzipping Installing Process Hunter
+  executor:
+    command: Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
+    name: powershell
+    elevation_required: true