From 09c8adfbef18486eea593a5a54507c57a129e487 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 27 Apr 2020 19:54:47 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 20 ++++++++++++
 atomics/T1089/T1089.md                        | 32 +++++++++++++++++++
 6 files changed, 56 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 3530c1cf..dad0f768 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -131,6 +131,7 @@ defense-evasion,T1089,Disabling Security Tools,17,Tamper with Windows Defender C
 defense-evasion,T1089,Disabling Security Tools,18,Tamper with Windows Defender Registry
 defense-evasion,T1089,Disabling Security Tools,19,Disable Microft Office Security Features
 defense-evasion,T1089,Disabling Security Tools,20,Remove Windows Defender Definition Files
+defense-evasion,T1089,Disabling Security Tools,21,Stop and Remove Arbitrary Security Windows Service
 defense-evasion,T1107,File Deletion,1,Delete a single file - Linux/macOS
 defense-evasion,T1107,File Deletion,2,Delete an entire folder - Linux/macOS
 defense-evasion,T1107,File Deletion,3,Overwrite and delete a file with shred
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 4b330f42..59642804 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -33,6 +33,7 @@ defense-evasion,T1089,Disabling Security Tools,17,Tamper with Windows Defender C
 defense-evasion,T1089,Disabling Security Tools,18,Tamper with Windows Defender Registry
 defense-evasion,T1089,Disabling Security Tools,19,Disable Microft Office Security Features
 defense-evasion,T1089,Disabling Security Tools,20,Remove Windows Defender Definition Files
+defense-evasion,T1089,Disabling Security Tools,21,Stop and Remove Arbitrary Security Windows Service
 defense-evasion,T1107,File Deletion,4,Delete a single file - Windows cmd
 defense-evasion,T1107,File Deletion,5,Delete an entire folder - Windows cmd
 defense-evasion,T1107,File Deletion,6,Delete a single file - Windows PowerShell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index e15e483b..5fbd21e5 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -216,6 +216,7 @@
   - Atomic Test #18: Tamper with Windows Defender Registry [windows]
   - Atomic Test #19: Disable Microft Office Security Features [windows]
   - Atomic Test #20: Remove Windows Defender Definition Files [windows]
+  - Atomic Test #21: Stop and Remove Arbitrary Security Windows Service [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index b5aeb8b3..7d57a3a9 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -51,6 +51,7 @@
   - Atomic Test #18: Tamper with Windows Defender Registry [windows]
   - Atomic Test #19: Disable Microft Office Security Features [windows]
   - Atomic Test #20: Remove Windows Defender Definition Files [windows]
+  - Atomic Test #21: Stop and Remove Arbitrary Security Windows Service [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 68580f25..1989889c 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -7311,6 +7311,26 @@ defense-evasion:
           -All
 
 '
+    - name: Stop and Remove Arbitrary Security Windows Service
+      description: 'Beginning with Powershell 6.0, the Stop-Service cmdlet sends a
+        stop message to the Windows Service Controller for each of the specified services.
+        The Remove-Service cmdlet removes a Windows service in the registry and in
+        the service database.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        service_name:
+          description: The name of the service to remove
+          type: String
+          default: McAfeeDLPAgentService
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |-
+          Stop-Service -Name #{service_name}
+          Remove-Service -Name #{service_name}
   T1107:
     technique:
       x_mitre_data_sources:
diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md
index a34c2659..227dd3e9 100644
--- a/atomics/T1089/T1089.md
+++ b/atomics/T1089/T1089.md
@@ -44,6 +44,8 @@
 
 - [Atomic Test #20 - Remove Windows Defender Definition Files](#atomic-test-20---remove-windows-defender-definition-files)
 
+- [Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-21---stop-and-remove-arbitrary-security-windows-service)
+
 
 <br/>
 
@@ -716,4 +718,34 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service
+Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| service_name | The name of the service to remove | String | McAfeeDLPAgentService|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Stop-Service -Name #{service_name}
+Remove-Service -Name #{service_name}
+```
+
+
+
+
+
+
 <br/>