From 3a00e9fe6a042d849dd98f915b34bda3ffdcc8d6 Mon Sep 17 00:00:00 2001
From: jovial7 <37297486+jovial7@users.noreply.github.com>
Date: Mon, 11 Apr 2022 10:37:33 -0500
Subject: [PATCH] Deleting test (TamperData) (#1860)

Deleting test 'Disable Windows Defender Tamper Protection'

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1562.001/T1562.001.yaml | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index 116aa7af..d04bc2f6 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -574,17 +574,6 @@ atomic_tests:
       cmd /c #{DefenderControlExe} /E | Out-Null
     name: powershell
     elevation_required: true
-- name: Disable Windows Defender Tamper Protection
-  auto_generated_guid: 5fde6578-9419-46ef-9258-269dc8656c3e
-  description: Disabling Windows Defender tamper protection to allow attacks such as [Process Doppleganging](https://medium.com/cyber-unbound/process-doppelg%C3%A4nging-684bdd6b760f). Tamper Protection will be disabled after the next reboot.
-  supported_platforms:
-  - windows
-  executor:
-    command: |-
-      New-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature'
-      New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
-    cleanup_command: Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 1
-    name: powershell
 - name: Disable Defender Using NirSoft AdvancedRun
   auto_generated_guid: 81ce22fd-9612-4154-918e-8a1f285d214d
   description: |