From 1cc8b3742862f8f6438a895bef5fbdd451e3fad8 Mon Sep 17 00:00:00 2001
From: tenillekay <54289116+tenillekay@users.noreply.github.com>
Date: Mon, 1 Aug 2022 15:45:31 -0500
Subject: [PATCH] Update T1021.006.yaml

Updated Test #2 to make it more complete.
---
 atomics/T1021.006/T1021.006.yaml | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/atomics/T1021.006/T1021.006.yaml b/atomics/T1021.006/T1021.006.yaml
index d19b621d0a..0a47fb8652 100644
--- a/atomics/T1021.006/T1021.006.yaml
+++ b/atomics/T1021.006/T1021.006.yaml
@@ -14,27 +14,34 @@ atomic_tests:
       Enable-PSRemoting -Force
     name: powershell
     elevation_required: true
-- name: Invoke-Command
+- name: Remote Code Execution with PS Credentials Using Invoke-Command
   auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
   description: |
     Execute Invoke-command on remote host.
 
-    Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+    Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
   supported_platforms:
   - windows
   input_arguments:
-    host_name:
-      description: Remote Windows Host Name
-      type: String
-      default: localhost
-    remote_command:
-      description: Command to execute on remote Host
-      type: String
-      default: ipconfig
+    username:
+      description: The username running the powershell command
+      type: string
+      default: $env:USERNAME
+    remotehost:
+      description: The remote hostname of the machine you are running the powershell command on.
+      type: string
+      default: $env:COMPUTERNAME
+    password:
+      description: The password to be used with the user provided in the previous input argument.
+      type: string
+      default: test12345
   executor:
-    command: |
-      invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
+    command: |-
+      $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+      $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+      Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
     name: powershell
+    
 - name: WinRM Access with Evil-WinRM
   auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
   description: An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled