diff --git a/atomics/T1053/T1053.md b/atomics/T1053/T1053.md
index 2f3edb38..e26b2f51 100644
--- a/atomics/T1053/T1053.md
+++ b/atomics/T1053/T1053.md
@@ -12,6 +12,8 @@ An adversary may use task scheduling to execute programs at system startup or on
- [Atomic Test #3 - Scheduled task Remote](#atomic-test-3---scheduled-task-remote)
+- [Atomic Test #4 - Powershell Cmdlet Scheduled Task](#atomic-test-4---powershell-cmdlet-scheduled-task)
+
@@ -75,4 +77,30 @@ SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task"
+
+
+
+## Atomic Test #4 - Powershell Cmdlet Scheduled Task
+Create an atomic scheduled task that leverages native powershell cmdlets.
+These could be concidered "fileless" scheduled task creation.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!
+```
+$Action = New-ScheduledTaskAction -Execute "calc.exe"
+$Trigger = New-ScheduledTaskTrigger -AtLogon
+$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
+$Set = New-ScheduledTaskSettingsSet
+$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
+Register-ScheduledTask AtomicTask -InputObject $object
+```
+
+
+#### Cleanup Commands:
+```
+Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
+```
+
diff --git a/atomics/index.md b/atomics/index.md
index 1b19ad84..685e1d01 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -118,6 +118,7 @@
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
+ - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1180 Screensaver](./T1180/T1180.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1101 Security Support Provider](./T1101/T1101.md)
@@ -467,6 +468,7 @@
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
+ - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1058 Service Registry Permissions Weakness](./T1058/T1058.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- [T1166 Setuid and Setgid](./T1166/T1166.md)
@@ -765,6 +767,7 @@
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
+ - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Create and Execute Batch Script [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 4fe8e94b..4c6ab4e5 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -4018,6 +4018,24 @@ persistence:
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
+'
+ - name: Powershell Cmdlet Scheduled Task
+ description: "Create an atomic scheduled task that leverages native powershell
+ cmdlets. \nThese could be concidered \"fileless\" scheduled task creation.\n"
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ $Action = New-ScheduledTaskAction -Execute "calc.exe"
+ $Trigger = New-ScheduledTaskTrigger -AtLogon
+ $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
+ $Set = New-ScheduledTaskSettingsSet
+ $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
+ Register-ScheduledTask AtomicTask -InputObject $object
+ cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
+
'
T1180:
technique:
@@ -14370,6 +14388,24 @@ privilege-escalation:
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
+'
+ - name: Powershell Cmdlet Scheduled Task
+ description: "Create an atomic scheduled task that leverages native powershell
+ cmdlets. \nThese could be concidered \"fileless\" scheduled task creation.\n"
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ $Action = New-ScheduledTaskAction -Execute "calc.exe"
+ $Trigger = New-ScheduledTaskTrigger -AtLogon
+ $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
+ $Set = New-ScheduledTaskSettingsSet
+ $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
+ Register-ScheduledTask AtomicTask -InputObject $object
+ cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
+
'
T1058:
technique:
@@ -22099,6 +22135,24 @@ execution:
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
+'
+ - name: Powershell Cmdlet Scheduled Task
+ description: "Create an atomic scheduled task that leverages native powershell
+ cmdlets. \nThese could be concidered \"fileless\" scheduled task creation.\n"
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ $Action = New-ScheduledTaskAction -Execute "calc.exe"
+ $Trigger = New-ScheduledTaskTrigger -AtLogon
+ $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
+ $Set = New-ScheduledTaskSettingsSet
+ $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
+ Register-ScheduledTask AtomicTask -InputObject $object
+ cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
+
'
T1064:
technique:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index d320e983..e6a5b668 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -237,6 +237,7 @@
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
+ - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1058 Service Registry Permissions Weakness](./T1058/T1058.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -325,6 +326,7 @@
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
+ - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1180 Screensaver](./T1180/T1180.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1101 Security Support Provider](./T1101/T1101.md)
@@ -641,6 +643,7 @@
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
+ - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #2: Create and Execute Batch Script [windows]
- [T1035 Service Execution](./T1035/T1035.md)