security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Deleting test (TamperData) (#1860)

Browse Source 
Deleting test 'Disable Windows Defender Tamper Protection'

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
jovial7
2022-04-11 10:37:33 -05:00
committed by GitHub
parent 80b1e0e591
commit 3a00e9fe6a
1 changed files with 0 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1562.001/T1562.001.yaml
-11
View File
@@ -574,17 +574,6 @@ atomic_tests:
cmd /c #{DefenderControlExe} /E | Out-Null
name: powershell
elevation_required: true
- name: Disable Windows Defender Tamper Protection
auto_generated_guid: 5fde6578-9419-46ef-9258-269dc8656c3e
description: Disabling Windows Defender tamper protection to allow attacks such as [Process Doppleganging](https://medium.com/cyber-unbound/process-doppelg%C3%A4nging-684bdd6b760f). Tamper Protection will be disabled after the next reboot.
supported_platforms:
- windows
executor:
command: |-
New-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature'
New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
cleanup_command: Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 1
name: powershell
- name: Disable Defender Using NirSoft AdvancedRun
auto_generated_guid: 81ce22fd-9612-4154-918e-8a1f285d214d
description: |