* Add test for T1170 that launches local notepad via VBScript called by Mshta
* Apply suggestions from code review
updates to the atomic name & description
Co-Authored-By: Keith McCammon <keith@mccammon.org>
* Update T1170.yaml
updated the input_arguments type to 'path' and the default value to 'C:\Temp\mshta_notepad.vbs'
* Removed TODOs to pass validation
Seems like there is an extra tab here which is cause my yaml parser to break.
```
yaml.scanner.ScannerError: while scanning for the next token
found character '\t' that cannot start any token
in "<unicode string>", line 3, column 33:
display_name: Software Discovery
```
* Adding T1086 Alternate Data Stream atomic
* Added newline T1086
* Syncing changes with updstream and origin.
* Added Cleanup to Logon Scripts Atomic T1037
* Added timout to allow time for detection logic to register change.
* Fixed issue with upstream sync, Re-added timout to allow time for detection logic.
* Fixed cleanup command. Yaml tag not working to allow it to run.
* Update T1158 test 11.
Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.
* Update T1037.yaml
Moved Reg delete command under the cleanup_command tag for consistency.
* Update T1037.yaml
Moved reg removal command under cleanup_command tag for consistency.
* Update T1086.yaml
Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.
Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.
* Update T1036.yaml
Added Cleanup commands for the windows tests
The `-o` flag exists only for the MacOs ping command, it doesn't in the Linux (Ubuntu) command.
I just removed it, it should be necessary since it is already using `-c 1`.
* Adding T1086 Alternate Data Stream atomic
* Added newline T1086
* Syncing changes with updstream and origin.
* Added Cleanup to Logon Scripts Atomic T1037
* Added timout to allow time for detection logic to register change.
* Fixed issue with upstream sync, Re-added timout to allow time for detection logic.
* Fixed cleanup command. Yaml tag not working to allow it to run.
* Update T1158 test 11.
Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.
* Update T1037.yaml
Moved Reg delete command under the cleanup_command tag for consistency.
* Update T1037.yaml
Moved reg removal command under cleanup_command tag for consistency.
* Update T1086.yaml
Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.
Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.
* Adding T1086 Alternate Data Stream atomic
* Added newline T1086
* Syncing changes with updstream and origin.
* Added Cleanup to Logon Scripts Atomic T1037
* Added timout to allow time for detection logic to register change.
* Fixed issue with upstream sync, Re-added timout to allow time for detection logic.
* Fixed cleanup command. Yaml tag not working to allow it to run.
* Update T1158 test 11.
Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.
* Update T1037.yaml
Moved Reg delete command under the cleanup_command tag for consistency.
* Update T1037.yaml
Moved reg removal command under cleanup_command tag for consistency.
Carrie Roberts