Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-03-16 00:45:11 +00:00
parent cbf89911c1
commit 924cb2491c
6 changed files with 838 additions and 16 deletions
@@ -488,6 +488,20 @@ defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d113
 defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
 defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
 defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
+defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
+defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
+defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
+defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
+defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
+defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
+defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
+defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
+defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
+defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
+defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
+defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
+defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
+defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -318,6 +318,20 @@ defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d113
 defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
 defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
 defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
+defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
+defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
+defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
+defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
+defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
+defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
+defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
+defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
+defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
+defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
+defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
+defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
+defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
+defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -763,6 +763,20 @@
  - Atomic Test #14: Disable Windows LogOff Button [windows]
  - Atomic Test #15: Disable Windows Change Password Feature [windows]
  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
+  - Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
+  - Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
+  - Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
+  - Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
+  - Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
+  - Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
+  - Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
+  - Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
+  - Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
+  - Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
+  - Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
+  - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
+  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
+  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -530,6 +530,20 @@
  - Atomic Test #14: Disable Windows LogOff Button [windows]
  - Atomic Test #15: Disable Windows Change Password Feature [windows]
  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
+  - Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
+  - Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
+  - Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
+  - Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
+  - Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
+  - Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
+  - Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
+  - Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
+  - Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
+  - Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
+  - Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
+  - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
+  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
+  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
@@ -31782,7 +31782,7 @@ defense-evasion:
      auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
      description: |
        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
-        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+        See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
      supported_platforms:
      - windows
      executor:
@@ -31800,7 +31800,7 @@ defense-evasion:
      auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
      description: |
        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
-        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+        See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
      supported_platforms:
      - windows
      executor:
@@ -31818,7 +31818,7 @@ defense-evasion:
      auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
      description: |
        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
-        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+        See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
      supported_platforms:
      - windows
      executor:
@@ -31836,7 +31836,7 @@ defense-evasion:
      auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
      description: |
        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
-        See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+        See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
      supported_platforms:
      - windows
      executor:
@@ -31854,7 +31854,7 @@ defense-evasion:
      auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
      description: |
        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
-        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+        See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
      supported_platforms:
      - windows
      executor:
@@ -31872,7 +31872,7 @@ defense-evasion:
      auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
      description: |
        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
-        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+        See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
      supported_platforms:
      - windows
      executor:
@@ -31888,7 +31888,7 @@ defense-evasion:
      auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
      description: |
        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
-        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+        See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
      supported_platforms:
      - windows
      executor:
@@ -31906,7 +31906,7 @@ defense-evasion:
      auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
      description: |
        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
-        See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+        See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
      supported_platforms:
      - windows
      executor:
@@ -31917,6 +31917,268 @@ defense-evasion:
        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
          /v DisableLockWorkstation /f >nul 2>&1

+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoDesktop Group Policy Feature
+      auto_generated_guid: 93386d41-525c-4a1b-8235-134a628dee17
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to hide all icons on Desktop Group Policy. \nTake note that
+        some Group Policy changes might require a restart to take effect.\nSee how
+        Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoDesktop /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoDesktop /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoRun Group Policy Feature
+      auto_generated_guid: d49ff3cc-8168-4123-b5b3-f057d9abbd55
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
+        Take note that some Group Policy changes might require a restart to take effect.
+        See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoRun /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\"
+          /v NoRun /f \n"
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoFind Group Policy Feature
+      auto_generated_guid: ffbb407e-7f1d-4c95-b22e-548169db1fbd
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
+        Take note that some Group Policy changes might require a restart to take effect.
+        See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFind /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFind /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoControlPanel Group Policy Feature
+      auto_generated_guid: a450e469-ba54-4de1-9deb-9023a6111690
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable Control Panel Group Policy. \nTake note that some
+        Group Policy changes might require a restart to take effect.\nSee how Trojan
+        abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoControlPanel /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoControlPanel /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoFileMenu Group Policy Feature
+      auto_generated_guid: 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Remove File menu from Windows Explorer Group Policy. \nTake
+        note that some Group Policy changes might require a restart to take effect.\nSee
+        how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFileMenu /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFileMenu /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoClose Group Policy Feature
+      auto_generated_guid: 12f50e15-dbc6-478b-a801-a746e8ba1723
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable and remove the Shut Down command Group Policy.
+        \nTake note that some Group Policy changes might require a restart to take
+        effect.\nSee how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoClose /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoClose /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoSetTaskbar Group Policy Feature
+      auto_generated_guid: d29b7faf-7355-4036-9ed3-719bd17951ed
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable changes to Taskbar and Start Menu Settings Group
+        Policy. \nTake note that some Group Policy changes might require a restart
+        to take effect.\nSee how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoSetTaskbar /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoSetTaskbar /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoTrayContextMenu Group Policy Feature
+      auto_generated_guid: 4d72d4b1-fa7b-4374-b423-0fe326da49d2
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable context menu for taskbar Group Policy. \nTake note
+        that some Group Policy changes might require a restart to take effect.\nSee
+        how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v StartMenuLogOff /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoTrayContextMenu /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoPropertiesMyDocuments Group Policy Feature
+      auto_generated_guid: 20fc9daa-bd48-4325-9aff-81b967a84b1d
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to hide Properties from \"My Documents icon\" Group Policy.
+        \nTake note that some Group Policy changes might require a restart to take
+        effect.\nSee how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\"
+          /v NoPropertiesMyDocuments /t REG_DWORD /d 1 \n"
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoPropertiesMyDocuments /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Hide Windows Clock Group Policy Feature
+      auto_generated_guid: 8023db1e-ad06-4966-934b-b6a0ae52689e
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Hide Clock Group Policy. \nTake note that some Group Policy
+        changes might require a restart to take effect.\nSee how ransomware abuses
+        this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideClock /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideClock /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCAHealth Group Policy Feature
+      auto_generated_guid: a4637291-40b1-4a96-8c82-b28f1d73e54e
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove security and maintenance icon Group Policy. \nTake
+        note that some Group Policy changes might require a restart to take effect.\nSee
+        how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAHealth /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAHealth /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCANetwork Group Policy Feature
+      auto_generated_guid: 3e757ce7-eca0-411a-9583-1c33b8508d52
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove the networking icon Group Policy. \nTake note that
+        some Group Policy changes might require a restart to take effect.\nSee how
+        ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCANetwork /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCANetwork /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCAPower Group Policy Feature
+      auto_generated_guid: 8d85a5d8-702f-436f-bc78-fcd9119496fc
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove the battery icon Group Policy. \nTake note that
+        some Group Policy changes might require a restart to take effect.\nSee how
+        ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAPower /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAPower /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCAVolume Group Policy Feature
+      auto_generated_guid: 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove the volume icon Group Policy. \nTake note that some
+        Group Policy changes might require a restart to take effect..\nSee how ransomware
+        abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAVolume /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAVolume /f >nul 2>&1
+
 '
        name: command_prompt
        elevation_required: true
@@ -42,6 +42,34 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #16 - Disable Windows Lock Workstation Feature](#atomic-test-16---disable-windows-lock-workstation-feature)

+- [Atomic Test #17 - Activate Windows NoDesktop Group Policy Feature](#atomic-test-17---activate-windows-nodesktop-group-policy-feature)
+
+- [Atomic Test #18 - Activate Windows NoRun Group Policy Feature](#atomic-test-18---activate-windows-norun-group-policy-feature)
+
+- [Atomic Test #19 - Activate Windows NoFind Group Policy Feature](#atomic-test-19---activate-windows-nofind-group-policy-feature)
+
+- [Atomic Test #20 - Activate Windows NoControlPanel Group Policy Feature](#atomic-test-20---activate-windows-nocontrolpanel-group-policy-feature)
+
+- [Atomic Test #21 - Activate Windows NoFileMenu Group Policy Feature](#atomic-test-21---activate-windows-nofilemenu-group-policy-feature)
+
+- [Atomic Test #22 - Activate Windows NoClose Group Policy Feature](#atomic-test-22---activate-windows-noclose-group-policy-feature)
+
+- [Atomic Test #23 - Activate Windows NoSetTaskbar Group Policy Feature](#atomic-test-23---activate-windows-nosettaskbar-group-policy-feature)
+
+- [Atomic Test #24 - Activate Windows NoTrayContextMenu Group Policy Feature](#atomic-test-24---activate-windows-notraycontextmenu-group-policy-feature)
+
+- [Atomic Test #25 - Activate Windows NoPropertiesMyDocuments Group Policy Feature](#atomic-test-25---activate-windows-nopropertiesmydocuments-group-policy-feature)
+
+- [Atomic Test #26 - Hide Windows Clock Group Policy Feature](#atomic-test-26---hide-windows-clock-group-policy-feature)
+
+- [Atomic Test #27 - Windows HideSCAHealth Group Policy Feature](#atomic-test-27---windows-hidescahealth-group-policy-feature)
+
+- [Atomic Test #28 - Windows HideSCANetwork Group Policy Feature](#atomic-test-28---windows-hidescanetwork-group-policy-feature)
+
+- [Atomic Test #29 - Windows HideSCAPower Group Policy Feature](#atomic-test-29---windows-hidescapower-group-policy-feature)
+
+- [Atomic Test #30 - Windows HideSCAVolume Group Policy Feature](#atomic-test-30---windows-hidescavolume-group-policy-feature)
+

 <br/>

@@ -357,7 +385,7 @@ Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name Lo

 ## Atomic Test #9 - Disable Windows Registry Tool
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
-See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry

 **Supported Platforms:** Windows

@@ -390,7 +418,7 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\

 ## Atomic Test #10 - Disable Windows CMD application
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
-See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry

 **Supported Platforms:** Windows

@@ -423,7 +451,7 @@ reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "Di

 ## Atomic Test #11 - Disable Windows Task Manager application
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
-See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry

 **Supported Platforms:** Windows

@@ -456,7 +484,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

 ## Atomic Test #12 - Disable Windows Notification Center
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
-See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html

 **Supported Platforms:** Windows

@@ -489,7 +517,7 @@ reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v Dis

 ## Atomic Test #13 - Disable Windows Shutdown Button
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
-See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/

 **Supported Platforms:** Windows

@@ -522,7 +550,7 @@ reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policie

 ## Atomic Test #14 - Disable Windows LogOff Button
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
-See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2

 **Supported Platforms:** Windows

@@ -557,7 +585,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

 ## Atomic Test #15 - Disable Windows Change Password Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
-See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah

 **Supported Platforms:** Windows

@@ -590,7 +618,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

 ## Atomic Test #16 - Disable Windows Lock Workstation Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
-See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/

 **Supported Platforms:** Windows

@@ -618,4 +646,480 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies



+<br/>
+<br/>
+
+## Atomic Test #17 - Activate Windows NoDesktop Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 93386d41-525c-4a1b-8235-134a628dee17
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #18 - Activate Windows NoRun Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d49ff3cc-8168-4123-b5b3-f057d9abbd55
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #19 - Activate Windows NoFind Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ffbb407e-7f1d-4c95-b22e-548169db1fbd
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #20 - Activate Windows NoControlPanel Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a450e469-ba54-4de1-9deb-9023a6111690
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #21 - Activate Windows NoFileMenu Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #22 - Activate Windows NoClose Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 12f50e15-dbc6-478b-a801-a746e8ba1723
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #23 - Activate Windows NoSetTaskbar Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d29b7faf-7355-4036-9ed3-719bd17951ed
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #24 - Activate Windows NoTrayContextMenu Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4d72d4b1-fa7b-4374-b423-0fe326da49d2
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #25 - Activate Windows NoPropertiesMyDocuments Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 20fc9daa-bd48-4325-9aff-81b967a84b1d
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #26 - Hide Windows Clock Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8023db1e-ad06-4966-934b-b6a0ae52689e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #27 - Windows HideSCAHealth Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a4637291-40b1-4a96-8c82-b28f1d73e54e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #28 - Windows HideSCANetwork Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3e757ce7-eca0-411a-9583-1c33b8508d52
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #29 - Windows HideSCAPower Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8d85a5d8-702f-436f-bc78-fcd9119496fc
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #30 - Windows HideSCAVolume Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect..
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f >nul 2>&1
+```
+
+
+
+
+
 <br/>