Added new tests that hides files through powershell (#2574)

Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Oct 26, 2023 · aa999b9 · aa999b9
1 parent 551948c
commit aa999b9
Showing 1 changed file with 54 additions and 0 deletions.
diff --git a/atomics/T1564.001/T1564.001.yaml b/atomics/T1564.001/T1564.001.yaml
@@ -135,3 +135,57 @@ atomic_tests:
       reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Create Windows Hidden File with powershell
+  description: |
+    Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+    and observe that the Attributes is "H" Hidden.
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_to_modify:
+      description: File to modify 
+      type: string
+      default: '%temp%\T1564.001-9.txt'
+  dependency_executor_name: command_prompt
+  dependencies:
+  - description: |
+      The file must exist on disk at specified location (#{file_to_modify})
+    prereq_command: |
+      IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+    get_prereq_command: |
+      echo system_Attrib_T1564.001-9 >> #{file_to_modify}
+  executor:
+    command: |
+      $file = Get-Item $env:temp\T1564.001-9.txt -Force
+      $file.attributes='Hidden'
+    cleanup_command: |
+      cmd /c 'del /A:H #{file_to_modify} >nul 2>&1'
+    name: powershell
+    elevation_required: true
+- name: Create Windows System File with powershell
+  description: |
+    Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+    and observe that the Attributes is "S" System.
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_to_modify:
+      description: File to modify 
+      type: string
+      default: '%temp%\T1564.001-10.txt'
+  dependency_executor_name: command_prompt
+  dependencies:
+  - description: |
+      The file must exist on disk at specified location (#{file_to_modify})
+    prereq_command: |
+      IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+    get_prereq_command: |
+      echo system_Attrib_T1564.001-10 >> #{file_to_modify}
+  executor:
+    command: |
+      $file = Get-Item $env:temp\T1564.001-10.txt -Force
+      $file.attributes='System'
+    cleanup_command: |
+      cmd /c 'del /A:H #{file_to_modify} >nul 2>&1'
+    name: powershell
+    elevation_required: true