From d4c966f6de14fa8daae1c077cb8c7ebb58613f76 Mon Sep 17 00:00:00 2001
From: Swelc <shane@swelcher.com>
Date: Tue, 26 Jun 2018 07:34:07 -0500
Subject: [PATCH] T1065 added

---
 atomics/T1065/T1065.yaml | 50 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 atomics/T1065/T1065.yaml

diff --git a/atomics/T1065/T1065.yaml b/atomics/T1065/T1065.yaml
new file mode 100644
index 00000000..f96d5738
--- /dev/null
+++ b/atomics/T1065/T1065.yaml
@@ -0,0 +1,50 @@
+---
+attack_technique: T1065
+display_name: Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls.
+
+atomic_tests:
+- name: Testing usage of uncommonly used port with PowerShell
+  description: |
+    Testing uncommonly used port utilizing PowerShell
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    port:
+      description: Specify uncommon port number
+      type: String
+      default: 8081
+    hostname:
+      description: Specify target hostname
+      type: String
+      default: google.com
+
+  executor:
+    name: powershell
+    command: |
+      test-netconnection -ComputerName #{hostname} -port #{port}
+
+- name: Testing usage of uncommonly used port
+  description: |
+    Testing uncommonly used port utilizing telnet.
+
+  supported_platforms:
+    - linux
+    - macos
+
+  input_arguments:
+    port:
+      description: Specify uncommon port number
+      type: String
+      default: 8081
+    hostname:
+      description: Specify target hostname
+      type: String
+      default: google.com
+
+  executor:
+    name: sh
+    command: |
+      telnet #{hostname} #{port}
+