Update T1078.003.yaml (#2867)

Added new test "Use PsExec to elevate to NT Authority\SYSTEM account"

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1078.003/T1078.003.yaml

@@ -204,4 +204,28 @@ atomic_tests:
       pw usermod nobody -s /usr/sbin/nologin
       cat /etc/passwd |grep nobody
       # -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
+- name: Use PsExec to elevate to NT Authority\SYSTEM account
+  description: |    
+    PsExec is a powerful tool most known for its remote management capability. However, it can also be used to run processes as the local system account.
 
+    The local system account is a default windows account which has unrestricted access to all system resources.
+    
+    Upon successful execution, PsExec.exe will spawn a command prompt which will run 'whoami' as the local system account and then exit.    
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      PsExec tool from Sysinternals must exist in the ExternalPayloads directory
+    prereq_command: |
+      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
+      Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
+      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula -s %COMSPEC% /c whoami