From d4708780249c3f2a2afeb31e2889403b25aa286a Mon Sep 17 00:00:00 2001
From: System Administrator <root@RC-MH.jetpack>
Date: Fri, 25 May 2018 07:20:21 -0400
Subject: [PATCH] T1063 add

---
 atomics/T1063/T1063.yaml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 atomics/T1063/T1063.yaml

diff --git a/atomics/T1063/T1063.yaml b/atomics/T1063/T1063.yaml
new file mode 100644
index 00000000..fcc92c4a
--- /dev/null
+++ b/atomics/T1063/T1063.yaml
@@ -0,0 +1,35 @@
+---
+attack_technique: T1063
+display_name: Security Software Discovery
+
+atomic_tests:
+- name: Security Software Discovery
+  description: |
+    Methods to identify Security Software on an endpoint
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      netsh.exe advfirewall firewall show all profiles
+      tasklist.exe
+      tasklist.exe | findstr virus
+      tasklist.exe | findstr cb
+      tasklist.exe | findstr defender
+
+atomic_tests:
+- name: Security Software Discovery - powershell
+  description: |
+    Methods to identify Security Software on an endpoint
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: powershell
+    command: |
+      powershell.exe get-process | ?{$_.Description -like "*virus*"}
+      powershell.exe get-process | ?{$_.Description -like "*carbonblack*"}
+      powershell.exe get-process | ?{$_.Description -like "*defender*"}