Generate docs from job=validate_atomics_generate_docs branch=oscd

2020-10-26 04:13:24 +00:00
parent d630fdfc2d
commit 1114a1d32e
11 changed files with 192 additions and 107 deletions
@@ -269,22 +269,23 @@ defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on L
 defense-evasion,T1562.001,Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
 defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
 defense-evasion,T1562.001,Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
-defense-evasion,T1562.001,Disable or Modify Tools,8,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
-defense-evasion,T1562.001,Disable or Modify Tools,9,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,10,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,11,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,13,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,14,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,15,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,16,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,17,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,18,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,19,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,20,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,21,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
+defense-evasion,T1562.001,Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
+defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,13,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,14,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,15,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,16,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,17,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,18,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,19,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,20,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
@@ -52,7 +52,8 @@ defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-
 defense-evasion,T1562.001,Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
 defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
 defense-evasion,T1562.001,Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
-defense-evasion,T1562.001,Disable or Modify Tools,8,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
+defense-evasion,T1562.001,Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
+defense-evasion,T1562.001,Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
@@ -90,21 +90,21 @@ defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP
 defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
 defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,9,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,10,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,11,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,13,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,14,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,15,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,16,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,17,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,18,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,19,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,20,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,21,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,13,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,14,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,15,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,16,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,17,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,18,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,19,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,20,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
 defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
@@ -538,22 +538,23 @@
  - Atomic Test #5: Disable Carbon Black Response [macos]
  - Atomic Test #6: Disable LittleSnitch [macos]
  - Atomic Test #7: Disable OpenDNS Umbrella [macos]
-  - Atomic Test #8: Stop and unload Crowdstrike Falcon on macOS [macos]
-  - Atomic Test #9: Unload Sysmon Filter Driver [windows]
-  - Atomic Test #10: Uninstall Sysmon [windows]
-  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
-  - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
-  - Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
-  - Atomic Test #14: Tamper with Windows Defender ATP PowerShell [windows]
-  - Atomic Test #15: Tamper with Windows Defender Command Prompt [windows]
-  - Atomic Test #16: Tamper with Windows Defender Registry [windows]
-  - Atomic Test #17: Disable Microsoft Office Security Features [windows]
-  - Atomic Test #18: Remove Windows Defender Definition Files [windows]
-  - Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows]
-  - Atomic Test #20: Uninstall Crowdstrike Falcon on Windows [windows]
-  - Atomic Test #21: Tamper with Windows Defender Evade Scanning -Folder [windows]
-  - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Extension [windows]
-  - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Process [windows]
+  - Atomic Test #8: Disable macOS Gatekeeper [macos]
+  - Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
+  - Atomic Test #10: Unload Sysmon Filter Driver [windows]
+  - Atomic Test #11: Uninstall Sysmon [windows]
+  - Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
+  - Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
+  - Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
+  - Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
+  - Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
+  - Atomic Test #17: Tamper with Windows Defender Registry [windows]
+  - Atomic Test #18: Disable Microsoft Office Security Features [windows]
+  - Atomic Test #19: Remove Windows Defender Definition Files [windows]
+  - Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
+  - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
+  - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
+  - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
+  - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -135,7 +135,8 @@
  - Atomic Test #5: Disable Carbon Black Response [macos]
  - Atomic Test #6: Disable LittleSnitch [macos]
  - Atomic Test #7: Disable OpenDNS Umbrella [macos]
-  - Atomic Test #8: Stop and unload Crowdstrike Falcon on macOS [macos]
+  - Atomic Test #8: Disable macOS Gatekeeper [macos]
+  - Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -180,21 +180,21 @@
  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
-  - Atomic Test #9: Unload Sysmon Filter Driver [windows]
-  - Atomic Test #10: Uninstall Sysmon [windows]
-  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
-  - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
-  - Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
-  - Atomic Test #14: Tamper with Windows Defender ATP PowerShell [windows]
-  - Atomic Test #15: Tamper with Windows Defender Command Prompt [windows]
-  - Atomic Test #16: Tamper with Windows Defender Registry [windows]
-  - Atomic Test #17: Disable Microsoft Office Security Features [windows]
-  - Atomic Test #18: Remove Windows Defender Definition Files [windows]
-  - Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows]
-  - Atomic Test #20: Uninstall Crowdstrike Falcon on Windows [windows]
-  - Atomic Test #21: Tamper with Windows Defender Evade Scanning -Folder [windows]
-  - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Extension [windows]
-  - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Process [windows]
+  - Atomic Test #10: Unload Sysmon Filter Driver [windows]
+  - Atomic Test #11: Uninstall Sysmon [windows]
+  - Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
+  - Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
+  - Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
+  - Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
+  - Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
+  - Atomic Test #17: Tamper with Windows Defender Registry [windows]
+  - Atomic Test #18: Disable Microsoft Office Security Features [windows]
+  - Atomic Test #19: Remove Windows Defender Definition Files [windows]
+  - Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
+  - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
+  - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
+  - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
+  - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -24253,10 +24253,14 @@ defense-evasion:
      supported_platforms:
      - macos
      executor:
-        command: 'sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
-
-'
+        command: |
+          sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
+          sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
+        cleanup_command: |
+          sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
+          sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
        name: sh
+        elevation_required: true
    - name: Disable LittleSnitch
      auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3
      description: 'Disables LittleSnitch
@@ -24267,8 +24271,12 @@ defense-evasion:
      executor:
        command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

+'
+        cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
+
 '
        name: sh
+        elevation_required: true
    - name: Disable OpenDNS Umbrella
      auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849
      description: 'Disables OpenDNS Umbrella
@@ -24279,8 +24287,28 @@ defense-evasion:
      executor:
        command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist

+'
+        cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
+
 '
        name: sh
+        elevation_required: true
+    - name: Disable macOS Gatekeeper
+      auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053
+      description: 'Disables macOS Gatekeeper
+
+'
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo spctl --master-disable
+
+'
+        cleanup_command: 'sudo spctl --master-enable
+
+'
+        name: sh
+        elevation_required: true
    - name: Stop and unload Crowdstrike Falcon on macOS
      auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef
      description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon
@@ -24302,6 +24330,9 @@ defense-evasion:
        command: |
          sudo launchctl unload #{falcond_plist}
          sudo launchctl unload #{userdaemon_plist}
+        cleanup_command: |
+          sudo launchctl load -w #{falcond_plist}
+          sudo launchctl load -w #{userdaemon_plist}
        name: sh
        elevation_required: true
    - name: Unload Sysmon Filter Driver
@@ -25772,9 +25803,9 @@ defense-evasion:
          type: Path
          default: myapp.app
      executor:
-        command: |
-          sudo xattr -r -d com.apple.quarantine #{app_path}
-          sudo spctl --master-disable
+        command: 'sudo xattr -d com.apple.quarantine #{app_path}
+
+'
        elevation_required: true
        name: sh
  T1484:
@@ -31,8 +31,7 @@ Gatekeeper Bypass via command line


 ```sh
-sudo xattr -r -d com.apple.quarantine #{app_path}
-sudo spctl --master-disable
+sudo xattr -d com.apple.quarantine #{app_path}
 ```


@@ -18,37 +18,39 @@

 - [Atomic Test #7 - Disable OpenDNS Umbrella](#atomic-test-7---disable-opendns-umbrella)

- [Atomic Test #8 - Stop and unload Crowdstrike Falcon on macOS](#atomic-test-8---stop-and-unload-crowdstrike-falcon-on-macos)
+- [Atomic Test #8 - Disable macOS Gatekeeper](#atomic-test-8---disable-macos-gatekeeper)

- [Atomic Test #9 - Unload Sysmon Filter Driver](#atomic-test-9---unload-sysmon-filter-driver)
+- [Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS](#atomic-test-9---stop-and-unload-crowdstrike-falcon-on-macos)

- [Atomic Test #10 - Uninstall Sysmon](#atomic-test-10---uninstall-sysmon)
+- [Atomic Test #10 - Unload Sysmon Filter Driver](#atomic-test-10---unload-sysmon-filter-driver)

- [Atomic Test #11 - AMSI Bypass - AMSI InitFailed](#atomic-test-11---amsi-bypass---amsi-initfailed)
+- [Atomic Test #11 - Uninstall Sysmon](#atomic-test-11---uninstall-sysmon)

- [Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-12---amsi-bypass---remove-amsi-provider-reg-key)
+- [Atomic Test #12 - AMSI Bypass - AMSI InitFailed](#atomic-test-12---amsi-bypass---amsi-initfailed)

- [Atomic Test #13 - Disable Arbitrary Security Windows Service](#atomic-test-13---disable-arbitrary-security-windows-service)
+- [Atomic Test #13 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-13---amsi-bypass---remove-amsi-provider-reg-key)

- [Atomic Test #14 - Tamper with Windows Defender ATP PowerShell](#atomic-test-14---tamper-with-windows-defender-atp-powershell)
+- [Atomic Test #14 - Disable Arbitrary Security Windows Service](#atomic-test-14---disable-arbitrary-security-windows-service)

- [Atomic Test #15 - Tamper with Windows Defender Command Prompt](#atomic-test-15---tamper-with-windows-defender-command-prompt)
+- [Atomic Test #15 - Tamper with Windows Defender ATP PowerShell](#atomic-test-15---tamper-with-windows-defender-atp-powershell)

- [Atomic Test #16 - Tamper with Windows Defender Registry](#atomic-test-16---tamper-with-windows-defender-registry)
+- [Atomic Test #16 - Tamper with Windows Defender Command Prompt](#atomic-test-16---tamper-with-windows-defender-command-prompt)

- [Atomic Test #17 - Disable Microsoft Office Security Features](#atomic-test-17---disable-microsoft-office-security-features)
+- [Atomic Test #17 - Tamper with Windows Defender Registry](#atomic-test-17---tamper-with-windows-defender-registry)

- [Atomic Test #18 - Remove Windows Defender Definition Files](#atomic-test-18---remove-windows-defender-definition-files)
+- [Atomic Test #18 - Disable Microsoft Office Security Features](#atomic-test-18---disable-microsoft-office-security-features)

- [Atomic Test #19 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-19---stop-and-remove-arbitrary-security-windows-service)
+- [Atomic Test #19 - Remove Windows Defender Definition Files](#atomic-test-19---remove-windows-defender-definition-files)

- [Atomic Test #20 - Uninstall Crowdstrike Falcon on Windows](#atomic-test-20---uninstall-crowdstrike-falcon-on-windows)
+- [Atomic Test #20 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-20---stop-and-remove-arbitrary-security-windows-service)

- [Atomic Test #21 - Tamper with Windows Defender Evade Scanning -Folder](#atomic-test-21---tamper-with-windows-defender-evade-scanning--folder)
+- [Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows](#atomic-test-21---uninstall-crowdstrike-falcon-on-windows)

- [Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Extension](#atomic-test-22---tamper-with-windows-defender-evade-scanning--extension)
+- [Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Folder](#atomic-test-22---tamper-with-windows-defender-evade-scanning--folder)

- [Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Process](#atomic-test-23---tamper-with-windows-defender-evade-scanning--process)
+- [Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Extension](#atomic-test-23---tamper-with-windows-defender-evade-scanning--extension)
+
+- [Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process](#atomic-test-24---tamper-with-windows-defender-evade-scanning--process)


 <br/>
@@ -178,13 +180,19 @@ Disables Carbon Black Response



-#### Attack Commands: Run with `sh`! 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


 ```sh
 sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
+sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
 ```

+#### Cleanup Commands:
+```sh
+sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
+sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
+```



@@ -202,13 +210,17 @@ Disables LittleSnitch



-#### Attack Commands: Run with `sh`! 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


 ```sh
 sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
 ```

+#### Cleanup Commands:
+```sh
+sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
+```



@@ -226,13 +238,17 @@ Disables OpenDNS Umbrella



-#### Attack Commands: Run with `sh`! 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


 ```sh
 sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
 ```

+#### Cleanup Commands:
+```sh
+sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
+```



@@ -241,7 +257,35 @@ sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfig
 <br/>
 <br/>

-## Atomic Test #8 - Stop and unload Crowdstrike Falcon on macOS
+## Atomic Test #8 - Disable macOS Gatekeeper
+Disables macOS Gatekeeper
+
+**Supported Platforms:** macOS
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo spctl --master-disable
+```
+
+#### Cleanup Commands:
+```sh
+sudo spctl --master-enable
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS
 Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS

 **Supported Platforms:** macOS
@@ -264,6 +308,11 @@ sudo launchctl unload #{falcond_plist}
 sudo launchctl unload #{userdaemon_plist}
 ```

+#### Cleanup Commands:
+```sh
+sudo launchctl load -w #{falcond_plist}
+sudo launchctl load -w #{userdaemon_plist}
+```



@@ -272,7 +321,7 @@ sudo launchctl unload #{userdaemon_plist}
 <br/>
 <br/>

-## Atomic Test #9 - Unload Sysmon Filter Driver
+## Atomic Test #10 - Unload Sysmon Filter Driver
 Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution,
 run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".

@@ -343,7 +392,7 @@ sysmon -accepteula -i
 <br/>
 <br/>

-## Atomic Test #10 - Uninstall Sysmon
+## Atomic Test #11 - Uninstall Sysmon
 Uninstall Sysinternals Sysmon for Defense Evasion

 **Supported Platforms:** Windows
@@ -401,7 +450,7 @@ cmd /c sysmon -i -accepteula
 <br/>
 <br/>

-## Atomic Test #11 - AMSI Bypass - AMSI InitFailed
+## Atomic Test #12 - AMSI Bypass - AMSI InitFailed
 Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
 Upon execution, no output is displayed.

@@ -432,7 +481,7 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
 <br/>
 <br/>

-## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key
+## Atomic Test #13 - AMSI Bypass - Remove AMSI Provider Reg Key
 With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
 This test removes the Windows Defender provider registry key. Upon execution, no output is displayed.
 Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone.
@@ -462,7 +511,7 @@ New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4
 <br/>
 <br/>

-## Atomic Test #13 - Disable Arbitrary Security Windows Service
+## Atomic Test #14 - Disable Arbitrary Security Windows Service
 With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.
 Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.
 To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
@@ -499,7 +548,7 @@ net.exe start #{service_name} >nul 2>&1
 <br/>
 <br/>

-## Atomic Test #14 - Tamper with Windows Defender ATP PowerShell
+## Atomic Test #15 - Tamper with Windows Defender ATP PowerShell
 Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
 in Windows settings.

@@ -534,7 +583,7 @@ Set-MpPreference -DisableBlockAtFirstSeen 0
 <br/>
 <br/>

-## Atomic Test #15 - Tamper with Windows Defender Command Prompt
+## Atomic Test #16 - Tamper with Windows Defender Command Prompt
 Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
 However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied"
 will be displayed twice and the WinDefend service status will be displayed.
@@ -567,7 +616,7 @@ sc config WinDefend start=enabled >nul 2>&1
 <br/>
 <br/>

-## Atomic Test #16 - Tamper with Windows Defender Registry
+## Atomic Test #17 - Tamper with Windows Defender Registry
 Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
 grayed out and have no info.

@@ -596,7 +645,7 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
 <br/>
 <br/>

-## Atomic Test #17 - Disable Microsoft Office Security Features
+## Atomic Test #18 - Disable Microsoft Office Security Features
 Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
 show any warning before editing the document.

@@ -635,7 +684,7 @@ Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Protected
 <br/>
 <br/>

-## Atomic Test #18 - Remove Windows Defender Definition Files
+## Atomic Test #19 - Remove Windows Defender Definition Files
 Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
 On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
 command will say completed.
@@ -663,7 +712,7 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
 <br/>
 <br/>

-## Atomic Test #19 - Stop and Remove Arbitrary Security Windows Service
+## Atomic Test #20 - Stop and Remove Arbitrary Security Windows Service
 Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.

 **Supported Platforms:** Windows
@@ -693,7 +742,7 @@ Remove-Service -Name #{service_name}
 <br/>
 <br/>

-## Atomic Test #20 - Uninstall Crowdstrike Falcon on Windows
+## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows
 Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.

 **Supported Platforms:** Windows
@@ -722,7 +771,7 @@ if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet
 <br/>
 <br/>

-## Atomic Test #21 - Tamper with Windows Defender Evade Scanning -Folder
+## Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Folder
 Malware can exclude a specific path from being scanned and evading detection. 
 Upon successul execution, the file provided should be on the list of excluded path. 
 To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
@@ -759,7 +808,7 @@ Remove-MpPreference -ExclusionPath $excludedpath
 <br/>
 <br/>

-## Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Extension
+## Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Extension
 Malware can exclude specific extensions from being scanned and evading detection. 
 Upon successful execution, the extension(s) should be on the list of excluded extensions.
 To check the exclusion list using poweshell  (Get-MpPreference).ExclusionExtension.
@@ -796,7 +845,7 @@ Remove-MpPreference -ExclusionExtension  $excludedExts
 <br/>
 <br/>

-## Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Process
+## Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process
 Malware can exclude specific processes from being scanned and evading detection.
 Upon successful execution, the process(es) should be on the list of excluded processes. 
 To check the exclusion list using poweshell  (Get-MpPreference).ExclusionProcess."
@@ -102,6 +102,7 @@ atomic_tests:
    name: sh
    elevation_required: true
 - name: Disable macOS Gatekeeper
+  auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053
  description: |
    Disables macOS Gatekeeper
  supported_platforms:
@@ -586,3 +586,4 @@ dc7726d2-8ccb-4cc6-af22-0d5afb53a548
 cf3391e0-b482-4b02-87fc-ca8362269b29
 c3e35b58-fe1c-480b-b540-7600fb612563
 de87ed7b-52c3-43fd-9554-730f695e7f31
+2a821573-fb3f-4e71-92c3-daac7432f053