From fb03ba8f32ca31e963a654489f866fcc6fba91bf Mon Sep 17 00:00:00 2001
From: arames13 <91679765+arames13@users.noreply.github.com>
Date: Tue, 9 Aug 2022 20:05:43 -0500
Subject: [PATCH] Update T1083 to add new test (#2071)

* Update T1083 to add new test

* typo fix

* Update T1083.yaml

- Have a prereq to fetch the tool from the releases page of the original author
- remove the cleanup command that deletes the tool

* some updates

Modified the name and description. Updated the prereq commands to handle error cases or missing /bin folder

* Delete DirLister.exe.config

* Delete DirLister.Core.dll

* Delete DirLister.exe

Co-authored-by: anupama ramesh <aramesh@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1083/T1083.yaml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml
index 2446c249..3493d36b 100644
--- a/atomics/T1083/T1083.yaml
+++ b/atomics/T1083/T1083.yaml
@@ -117,3 +117,34 @@ atomic_tests:
     cleanup_command: |
       remove-item #{File_to_output} -ErrorAction SilentlyContinue
     name: powershell  
+- name: Launch DirLister Executable
+  description: |-
+    Launches the DirLister executable for a short period of time and then exits.
+    
+    Recently seen used by [BlackCat ransomware](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/) to create a list of accessible directories and files.
+  supported_platforms:
+  - windows
+  input_arguments:
+    dirlister_path:
+      description: 'Path to the DirLister executable '
+      type: String
+      default: PathToAtomicsFolder\T1083\bin\DirLister.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      DirLister.exe must exist in the specified path #{dirlister_path}
+    prereq_command: |
+      if (Test-Path #{dirlister_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      $parentpath = Split-Path "#{dirlister_path}"
+      Invoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile $env:TEMP\TDirLister.v2.beta4.zip
+      New-Item -ItemType Directory -Force -Path $parentpath | Out-Null
+      Expand-Archive -Path $env:TEMP\TDirLister.v2.beta4.zip -DestinationPath $env:TEMP\TDirLister.v2.beta4 -Force
+      Copy-Item $env:TEMP\TDirLister.v2.beta4\* $parentpath -Recurse
+      Remove-Item $env:TEMP\TDirLister.v2.beta4.zip,$env:TEMP\TDirLister.v2.beta4 -Recurse -ErrorAction Ignore
+  executor:
+    command: |
+      Start-Process #{dirlister_path}
+      Start-Sleep -Second 4
+      Stop-Process -Name "DirLister"
+    name: powershell