From 3bc01cabb5cda152358a3b038204e9943f1c20c8 Mon Sep 17 00:00:00 2001
From: abhijose09 <bagchiabhijit09@gmail.com>
Date: Wed, 24 Jul 2024 07:46:20 +0530
Subject: [PATCH] 3 new tests added (#2863)

3 new Tests added :
Abusing MyComputer Disk Backup Path for Persistence
Abusing MyComputer Disk Cleanup Path for Persistence
Abusing MyComputer Disk Fragmentation Path for Persistence

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 10e9b81d8a..920b238439 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -1317,3 +1317,40 @@ atomic_tests:
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v InitialProgram /t REG_SZ /d "" /f
     name: command_prompt
     elevation_required: true
+
+- name: Abusing MyComputer Disk Cleanup Path for Persistence
+  description: |
+    Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
+  supported_platforms:
+  - windows  
+  executor:
+    command: |
+      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+    cleanup_command: |
+      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath" /t REG_EXPAND_SZ /d "%SystemRoot%\System32\cleanmgr.exe /D %c" /f
+    name: command_prompt
+    elevation_required: true
+- name: Abusing MyComputer Disk Fragmentation Path for Persistence
+  description: |
+    Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
+  supported_platforms:
+  - windows  
+  executor:
+    command: |
+      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+    cleanup_command: |
+      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\dfrgui.exe" /f
+    name: command_prompt
+    elevation_required: true
+- name: Abusing MyComputer Disk Backup Path for Persistence
+  description: |
+    Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
+  supported_platforms:
+  - windows  
+  executor:
+    command: |
+      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+    cleanup_command: |
+      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath" /t REG_EXPAND_SZ /d "%SystemRoot%\system32\sdclt.exe" /f
+    name: command_prompt
+    elevation_required: true
\ No newline at end of file