From f4bdccc90578bd5ed8b62660b9e34b85632df04b Mon Sep 17 00:00:00 2001
From: tlor89 <60741301+tlor89@users.noreply.github.com>
Date: Fri, 2 Apr 2021 08:29:46 -0500
Subject: [PATCH] t1564-update (#1411)

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
---
 atomics/T1564/T1564.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/atomics/T1564/T1564.yaml b/atomics/T1564/T1564.yaml
index 7f771af3..994581c9 100644
--- a/atomics/T1564/T1564.yaml
+++ b/atomics/T1564/T1564.yaml
@@ -38,3 +38,21 @@ atomic_tests:
     cleanup_command: |
       Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
     name: powershell
+- name: Create a user called "$" as noted here
+  description: Creating a user with a username containing "$" 
+  supported_platforms:
+  - windows
+  executor:
+    name: command_prompt
+    elevation_required: true 
+    command: net user $ ATOMIC123! /add /active:yes
+    cleanup_command: net user $ /DELETE 2>&1
+- name: Create an "Administrator " user (with a space on the end) 
+  description: Creating a user with a username containing with a space on the end
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: true 
+    command: New-LocalUser -Name "Administrator " -NoPassword
+    cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null
\ No newline at end of file