From 912b84d2e6aa4ed3f3282029b4b031e656ce9bdc Mon Sep 17 00:00:00 2001
From: Swelc <shane@swelcher.com>
Date: Sun, 1 Jul 2018 20:14:29 -0500
Subject: [PATCH] Add T1126 removing network shares

---
 atomics/T1126/T1126.yaml | 42 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 atomics/T1126/T1126.yaml

diff --git a/atomics/T1126/T1126.yaml b/atomics/T1126/T1126.yaml
new file mode 100644
index 00000000..f8ec355c
--- /dev/null
+++ b/atomics/T1126/T1126.yaml
@@ -0,0 +1,42 @@
+---
+attack_technique: T1126
+display_name: Remove Network Share
+
+atomic_tests:
+- name: Remove Network Share
+  description: |
+    Removes a Network Share utilizing the command_prompt
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    share_name:
+      description: Share to remove.
+      type: string
+      default: \\test\share
+
+  executor:
+    name: command_prompt
+    command: |
+      net share #{share_name} /delete
+
+- name: Remove Network Share PowerShell
+  description: |
+    Removes a Network Share utilizing PowerShell
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    share_name:
+      description: Share to remove.
+      type: string
+      default: \\test\share
+
+  executor:
+    name: powershell
+    command: |
+      Remove-SmbShare -Name #{share_name}
+      Remove-FileShare -Name #{share_name}
+