From 5f866ca4517e837c4ea576e7309d0891e78080a8 Mon Sep 17 00:00:00 2001
From: abhijose09 <bagchiabhijit09@gmail.com>
Date: Sat, 11 May 2024 00:06:54 +0530
Subject: [PATCH] Update T1112.yaml (#2774)

* Update T1112.yaml

Add new test Disable Windows Prefetch Through Registry

* fix spacing

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 5448a353..87c9f994 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -1087,3 +1087,15 @@ atomic_tests:
     cleanup_command: 'if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)'
     name: command_prompt
     elevation_required: true   
+- name: Disable Windows Prefetch Through Registry 
+  description: |
+    Modify the registry of the machine to disable prefetch. Disabling prefetch will remove one artifact for evidence of application execution. Restart is required post modification
+  supported_platforms:
+  - windows
+  executor:
+    command: | 
+       reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 0 /f
+    cleanup_command: |
+       reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 3 /f
+    name: command_prompt
+    elevation_required: true