diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 0f140af2b3..52083a514c 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1253,6 +1253,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 9748317bac..199d88311f 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -909,6 +909,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 9c728cb9a0..06331add83 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -2095,6 +2095,7 @@
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
+ - Atomic Test #26: Download a file using wscript [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 79c3f98364..f29c6a37be 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1521,6 +1521,7 @@
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
+ - Atomic Test #26: Download a file using wscript [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index a944ce29b4..520c8a9ee0 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -91410,6 +91410,21 @@ command-and-control:
command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
cleanup_command: 'del #{local_path} >nul 2>&1'
name: command_prompt
+ - name: Download a file using wscript
+ auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
+ description: Use wscript to run a local VisualBasic file to download a remote
+ file
+ supported_platforms:
+ - windows
+ input_arguments:
+ vbscript_file:
+ description: Full path to the VisualBasic downloading the file
+ type: String
+ default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
+ executor:
+ command: 'wscript.exe #{vbscript_file}'
+ cleanup_command: del Atomic-License.txt >nul 2>&1
+ name: command_prompt
T1001.002:
technique:
x_mitre_platforms:
diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md
index ffac86806e..74f3f203c7 100644
--- a/atomics/T1105/T1105.md
+++ b/atomics/T1105/T1105.md
@@ -58,6 +58,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co
- [Atomic Test #25 - certreq download](#atomic-test-25---certreq-download)
+- [Atomic Test #26 - Download a file using wscript](#atomic-test-26---download-a-file-using-wscript)
+
@@ -1132,4 +1134,41 @@ del #{local_path} >nul 2>&1
+
+
+
+## Atomic Test #26 - Download a file using wscript
+Use wscript to run a local VisualBasic file to download a remote file
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 97116a3f-efac-4b26-8336-b9cb18c45188
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vbscript_file | Full path to the VisualBasic downloading the file | String | PathToAtomicsFolder\T1105\src\T1105-download-file.vbs|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+wscript.exe #{vbscript_file}
+```
+
+#### Cleanup Commands:
+```cmd
+del Atomic-License.txt >nul 2>&1
+```
+
+
+
+
+