Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1070/T1070.md

@@ -30,6 +30,10 @@ Logs may also be cleared through other mechanisms, such as [PowerShell](https://
 
 - [Atomic Test #5 - Overwrite Linux Log](#atomic-test-5---overwrite-linux-log)
 
+- [Atomic Test #6 - Delete System Logs Using PowerShell](#atomic-test-6---delete-system-logs-using-powershell)
+
+- [Atomic Test #7 - Delete System Logs Using Clear-EventLogId](#atomic-test-7---delete-system-logs-using-clear-eventlogid)
+
 
 <br/>
 
@@ -126,4 +130,42 @@ echo 0> #{log_path}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Delete System Logs Using PowerShell
+Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!  Elevation Required (e.g. root or admin) 
+```
+$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
+Stop-Process -Id $eventLogId -Force
+Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
+```
+
+
+#### Cleanup Commands:
+```
+Start-Service -Name EventLog
+```
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Delete System Logs Using Clear-EventLogId
+Clear event logs using built-in PowerShell commands
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!  Elevation Required (e.g. root or admin) 
+```
+Clear-EventLog -logname Application
+```
+
+
+
 <br/>

atomics/index.md

@@ -272,6 +272,8 @@
   - Atomic Test #3: rm -rf [macos, linux]
   - Atomic Test #4: Overwrite Linux Mail Spool [linux]
   - Atomic Test #5: Overwrite Linux Log [linux]
+  - Atomic Test #6: Delete System Logs Using PowerShell [windows]
+  - Atomic Test #7: Delete System Logs Using Clear-EventLogId [windows]
 - [T1202 Indirect Command Execution](./T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
   - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]

atomics/index.yaml

@@ -7970,7 +7970,38 @@ defense-evasion:
           default: "/var/log/secure"
       executor:
         name: bash
-        command: 'echo 0> #{log_path}'
+        command: 'echo 0> #{log_path}
+
+'
+    - name: Delete System Logs Using PowerShell
+      description: 'Recommended Detection: Monitor for use of the windows event log
+        filepath in PowerShell couple with delete arguments
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
+          Stop-Process -Id $eventLogId -Force
+          Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
+        cleanup_command: 'Start-Service -Name EventLog
+
+'
+    - name: Delete System Logs Using Clear-EventLogId
+      description: 'Clear event logs using built-in PowerShell commands
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: 'Clear-EventLog -logname Application
+
+'
   T1202:
     technique:
       x_mitre_data_sources:

atomics/windows-index.md

@@ -77,6 +77,8 @@
 - [T1070 Indicator Removal on Host](./T1070/T1070.md)
   - Atomic Test #1: Clear Logs [windows]
   - Atomic Test #2: FSUtil [windows]
+  - Atomic Test #6: Delete System Logs Using PowerShell [windows]
+  - Atomic Test #7: Delete System Logs Using Clear-EventLogId [windows]
 - [T1202 Indirect Command Execution](./T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
   - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]