From 3ae4d98bb8ed941503f6be3bb07e582b8bd1e832 Mon Sep 17 00:00:00 2001
From: rctgardner <59621072+rctgardner@users.noreply.github.com>
Date: Tue, 8 Jun 2021 18:05:29 -0600
Subject: [PATCH 1/2] Added 2 tests for T1036.005 One Windows and one
 Linux/macOS

---
 atomics/T1036.005/T1036.005.yaml | 51 ++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 atomics/T1036.005/T1036.005.yaml

diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml
new file mode 100644
index 00000000..05a1bdd7
--- /dev/null
+++ b/atomics/T1036.005/T1036.005.yaml
@@ -0,0 +1,51 @@
+---
+attack_technique: T1036.005
+display_name: 'Masquerading: Match Legitimate Name or Location'
+
+atomic_tests:
+- name: Execute a process from a directory masquerading as the current parent directory.
+  description: |
+    Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
+
+  supported_platforms:
+    - macos
+    - linux
+
+  input_arguments:
+    test_message:
+      description: Test message to echo out to the screen
+      type: String
+      default: Hello from the Atomic Red Team test T1036.005#1
+
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      mkdir $HOME/...
+      cp $(which sh) $HOME/...
+      $HOME/.../sh -c "echo #{test_message}"
+    cleanup_command: |
+      rm -f $HOME/.../sh
+      rmdir $HOME/.../
+
+- name: Execute a process masquerading as a legitimate Windows binary
+  description: |
+    Create and execute a process masquerading as a legitimate Windows binary
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    test_message:
+      description: Test message to echo out to the screen
+      type: String
+      default: Hello from the Atomic Red Team test T1036.005#2
+
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      copy %WINDIR%\System32\cmd.exe /Y %PUBLIC%\svchost.exe
+      start %PUBLIC%\svchost.exe /C echo "#{test_message}"
+    cleanup_command: |
+      del %PUBLIC%\svchost.exe >nul 2>&1

From 09c413e64a57c8ab2ed7eb77bee60ab7e2b9b2ad Mon Sep 17 00:00:00 2001
From: rctgardner <59621072+rctgardner@users.noreply.github.com>
Date: Wed, 9 Jun 2021 13:25:13 -0600
Subject: [PATCH 2/2] removed windows test from t1036.005

---
 atomics/T1036.005/T1036.005.yaml | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml
index 05a1bdd7..4c81dd2d 100644
--- a/atomics/T1036.005/T1036.005.yaml
+++ b/atomics/T1036.005/T1036.005.yaml
@@ -27,25 +27,3 @@ atomic_tests:
     cleanup_command: |
       rm -f $HOME/.../sh
       rmdir $HOME/.../
-
-- name: Execute a process masquerading as a legitimate Windows binary
-  description: |
-    Create and execute a process masquerading as a legitimate Windows binary
-
-  supported_platforms:
-    - windows
-
-  input_arguments:
-    test_message:
-      description: Test message to echo out to the screen
-      type: String
-      default: Hello from the Atomic Red Team test T1036.005#2
-
-  executor:
-    name: command_prompt
-    elevation_required: false
-    command: |
-      copy %WINDIR%\System32\cmd.exe /Y %PUBLIC%\svchost.exe
-      start %PUBLIC%\svchost.exe /C echo "#{test_message}"
-    cleanup_command: |
-      del %PUBLIC%\svchost.exe >nul 2>&1