redcanaryco · mcs-42 · Aug 13, 2025 · Aug 24, 2025 · Aug 24, 2025 · Aug 24, 2025
diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml
@@ -1269,6 +1269,29 @@ atomic_tests:
 
     name: powershell
     elevation_required: false
+
+- name: Download Python and Unzip 
+  description: |
+    Downloading Python ZIP archive to execute malware on Windows systems without Python pre-installed.
+  supported_platforms:
+    - windows
+  input_arguments:
+    python_url:
+      description: Python download URL
+      type: string
+      default: https://www.python.org/ftp/python/3.13.6/python-3.13.6-embed-amd64.zip
+    dir_path:
+      description: Base directory to store the ZIP file and export archive
+      type: string
+      default: $env:Temp/atomic_python
+  executor:
+    command: |
+      Invoke-WebRequest "#{python_url}" -Outfile #{dir_path}.zip
+      Expand-Archive #{dir_path}.zip #{dir_path} -PassThru -ErrorAction SilentlyContinue
+    cleanup_command: |
+      Remove-Item -Recurs "#{dir_path}.zip", "#{dir_path}" -ErrorAction Ignore
+    name: powershell
+    elevation_required: false
 - name: Curl Insecure Connection from a Pod
   auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
   description: |
@@ -1299,4 +1322,4 @@ atomic_tests:
     name: bash
     elevation_required: false
     command: |
-      kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}
+      kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}