adding ASR rules deletion

redcanaryco · Feb 6, 2024 · f87003f · f87003f
1 parent 700b890
commit f87003f
Showing 1 changed file with 19 additions and 20 deletions.
diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
@@ -1088,30 +1088,30 @@ atomic_tests:
   description: This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates an InTune-based rules deployment.
   supported_platforms:
   - windows
-  command: |-
-    $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager"
+  executor:
+    command: |-
+      $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager"
 
-    if (-not (Test-Path $registryPath)) {
-      New-Item -Path $registryPath -Force
-      Write-Host "Registry key created: $registryPath"
-    }
+      if (-not (Test-Path $registryPath)) {
+        New-Item -Path $registryPath -Force
+        Write-Host "Registry key created: $registryPath"
+      }
 
-    $registryValueName = "ASRRules"
+      $registryValueName = "ASRRules"
 
-    if (Test-Path "$registryPath\$registryValueName") {
-      Remove-ItemProperty -Path $registryPath -Name $registryValueName
-      Write-Host "Registry value deleted: $registryValueName"
-    } else {
-      New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value "36190899-1602-49e8-8b27-eb1d0a1ce869=1" -Force
-      Write-Host "Registry value created: $registryValueName"
-    }
+      if (Test-Path "$registryPath\$registryValueName") {
+        Remove-ItemProperty -Path $registryPath -Name $registryValueName
+        Write-Host "Registry value deleted: $registryValueName"
+      } else {
+        New-ItemProperty -Path $registryPath -Name $registryValueName -PropertyType String -Value "36190899-1602-49e8-8b27-eb1d0a1ce869=1" -Force
+        Write-Host "Registry value created: $registryValueName"
+      }
 
 
-    Remove-ItemProperty -Path $registryPath -Name $registryValueName
-    Write-Host "Registry value deleted: $registryValueName"
-  cleanup_command: 
-  name: powershell
-  elevation_required: true
+      Remove-ItemProperty -Path $registryPath -Name $registryValueName
+      Write-Host "Registry value deleted: $registryValueName"
+    name: powershell
+    elevation_required: true
 - name: Delete Microsoft Defender ASR Rules - GPO
   description: This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates a GPO-based rules deployment.
   supported_platforms:
@@ -1132,6 +1132,5 @@ atomic_tests:
 
       Remove-ItemProperty -Path $registryPath -Name $newValueName
       Write-Host "Registry value deleted: $newValueName"
-    cleanup_command: 
     name: powershell
     elevation_required: true