From d081d1dc33b526f64ba084eaea01363c6361eee6 Mon Sep 17 00:00:00 2001 From: sourabhsharmasourabh <114914960+sourabhsharmasourabh@users.noreply.github.com> Date: Mon, 3 Oct 2022 21:13:01 +0530 Subject: [PATCH] New Atomic test 29 - iwr download (#2172) * New Atomic test 29 - iwr download iwr or Invoke Web-Request download. Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions. * Update T1105.yaml * Update T1105.yaml at 793 added line for elevation required : true, as it was missed to include earlier * Update T1105.yaml Co-authored-by: Carrie Roberts --- atomics/T1105/T1105.yaml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index ee25d5ed..f48cacc1 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -769,4 +769,24 @@ atomic_tests: Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab} Remove-Item $env:temp\nim Remove-Item $env:temp\nim.zip - +- name: iwr or Invoke Web-Request download + description: | + Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions. + supported_platforms: + - windows + input_arguments: + remote_file: + description: URL of file to copy + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt + local_path: + description: Local path to place file + type: Path + default: '%temp%\Atomic-license.txt' + executor: + command: | + powershell.exe iwr -URI #{remote_file} -Outfile #{local_path} + cleanup_command: | + del %temp%\Atomic-license.txt >nul 2>&1 + name: command_prompt + elevation_required: true