Generate docs from job=validate_atomics_generate_docs branch=master

atomics/Indexes/Indexes-CSV/index.csv

@@ -131,6 +131,7 @@ defense-evasion,T1089,Disabling Security Tools,17,Tamper with Windows Defender C
 defense-evasion,T1089,Disabling Security Tools,18,Tamper with Windows Defender Registry
 defense-evasion,T1089,Disabling Security Tools,19,Disable Microft Office Security Features
 defense-evasion,T1089,Disabling Security Tools,20,Remove Windows Defender Definition Files
+defense-evasion,T1089,Disabling Security Tools,21,Stop and Remove Arbitrary Security Windows Service
 defense-evasion,T1107,File Deletion,1,Delete a single file - Linux/macOS
 defense-evasion,T1107,File Deletion,2,Delete an entire folder - Linux/macOS
 defense-evasion,T1107,File Deletion,3,Overwrite and delete a file with shred

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -33,6 +33,7 @@ defense-evasion,T1089,Disabling Security Tools,17,Tamper with Windows Defender C
 defense-evasion,T1089,Disabling Security Tools,18,Tamper with Windows Defender Registry
 defense-evasion,T1089,Disabling Security Tools,19,Disable Microft Office Security Features
 defense-evasion,T1089,Disabling Security Tools,20,Remove Windows Defender Definition Files
+defense-evasion,T1089,Disabling Security Tools,21,Stop and Remove Arbitrary Security Windows Service
 defense-evasion,T1107,File Deletion,4,Delete a single file - Windows cmd
 defense-evasion,T1107,File Deletion,5,Delete an entire folder - Windows cmd
 defense-evasion,T1107,File Deletion,6,Delete a single file - Windows PowerShell

atomics/Indexes/Indexes-Markdown/index.md

@@ -216,6 +216,7 @@
   - Atomic Test #18: Tamper with Windows Defender Registry [windows]
   - Atomic Test #19: Disable Microft Office Security Features [windows]
   - Atomic Test #20: Remove Windows Defender Definition Files [windows]
+  - Atomic Test #21: Stop and Remove Arbitrary Security Windows Service [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -51,6 +51,7 @@
   - Atomic Test #18: Tamper with Windows Defender Registry [windows]
   - Atomic Test #19: Disable Microft Office Security Features [windows]
   - Atomic Test #20: Remove Windows Defender Definition Files [windows]
+  - Atomic Test #21: Stop and Remove Arbitrary Security Windows Service [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/index.yaml

@@ -7311,6 +7311,26 @@ defense-evasion:
           -All
 
 '
+    - name: Stop and Remove Arbitrary Security Windows Service
+      description: 'Beginning with Powershell 6.0, the Stop-Service cmdlet sends a
+        stop message to the Windows Service Controller for each of the specified services.
+        The Remove-Service cmdlet removes a Windows service in the registry and in
+        the service database.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        service_name:
+          description: The name of the service to remove
+          type: String
+          default: McAfeeDLPAgentService
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |-
+          Stop-Service -Name #{service_name}
+          Remove-Service -Name #{service_name}
   T1107:
     technique:
       x_mitre_data_sources:

atomics/T1089/T1089.md

@@ -44,6 +44,8 @@
 
 - [Atomic Test #20 - Remove Windows Defender Definition Files](#atomic-test-20---remove-windows-defender-definition-files)
 
+- [Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-21---stop-and-remove-arbitrary-security-windows-service)
+
 
 <br/>
 
@@ -716,4 +718,34 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service
+Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| service_name | The name of the service to remove | String | McAfeeDLPAgentService|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Stop-Service -Name #{service_name}
+Remove-Service -Name #{service_name}
+```
+
+
+
+
+
+
 <br/>