From 857394524806f0b9fb50c4cb25d9a2a8319cabf6 Mon Sep 17 00:00:00 2001
From: biot-2131 <121760096+biot-2131@users.noreply.github.com>
Date: Tue, 17 Jan 2023 21:32:05 +0000
Subject: [PATCH 1/3] T1059.004 New script file in the tmp directory

---
 atomics/T1059.004/T1059.004.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml
index ef45dfb7..80658185 100644
--- a/atomics/T1059.004/T1059.004.yaml
+++ b/atomics/T1059.004/T1059.004.yaml
@@ -98,3 +98,17 @@ atomic_tests:
     cleanup_command: |
       rm -rf #{linenum}
     name: sh
+- name: Create and Execute Bash Shell Script
+  description: |
+    An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed.
+  supported_platforms:
+  - linux
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      TMPFILE=$(mktemp)
+      echo "id" > $TMPFILE
+      bash $TMPFILE
+    cleanup_command: |
+      rm $TMPFILE

From abf60a74990ae36fa92f94b3224ac56216bb3a7c Mon Sep 17 00:00:00 2001
From: biot-2131 <121760096+biot-2131@users.noreply.github.com>
Date: Tue, 17 Jan 2023 21:51:01 +0000
Subject: [PATCH 2/3] updated the title

---
 atomics/T1059.004/T1059.004.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml
index 80658185..388ce7c3 100644
--- a/atomics/T1059.004/T1059.004.yaml
+++ b/atomics/T1059.004/T1059.004.yaml
@@ -98,7 +98,7 @@ atomic_tests:
     cleanup_command: |
       rm -rf #{linenum}
     name: sh
-- name: Create and Execute Bash Shell Script
+- name: New script file in the tmp directory
   description: |
     An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed.
   supported_platforms:

From 6b06371f413aeead0b7cc7faba7821f68b1dcd06 Mon Sep 17 00:00:00 2001
From: biot-2131 <121760096+biot-2131@users.noreply.github.com>
Date: Tue, 17 Jan 2023 22:56:32 +0000
Subject: [PATCH 3/3] added unset command

---
 atomics/T1059.004/T1059.004.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml
index 388ce7c3..5b71a940 100644
--- a/atomics/T1059.004/T1059.004.yaml
+++ b/atomics/T1059.004/T1059.004.yaml
@@ -112,3 +112,4 @@ atomic_tests:
       bash $TMPFILE
     cleanup_command: |
       rm $TMPFILE
+      unset TMPFILE