From cbae16ede1ca51a548828de5aa52dda6d8fd7aac Mon Sep 17 00:00:00 2001
From: arames13 <91679765+arames13@users.noreply.github.com>
Date: Wed, 3 Aug 2022 10:04:50 -0500
Subject: [PATCH] T1562.004-update (#2069)

Co-authored-by: anupama ramesh <aramesh@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1562.004/T1562.004.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index 9968e64c..b64d3f97 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -297,3 +297,31 @@ atomic_tests:
     command: |
       tail /var/log/ufw.log
     cleanup_command: |
+- name: LockBit Black - Unusual Windows firewall registry modification -cmd
+  description: |
+     An adversary tries to modify the windows firewall registry
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /f >nul 2>&1
+      reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: LockBit Black - Unusual Windows firewall registry modification -Powershell
+  description: |
+     An adversary tries to modify the windows firewall registry.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
+      New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
+    cleanup_command: |
+       Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile"  -Name EnableFirewall -Force -ErrorAction Ignore
+       Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true 
\ No newline at end of file