redcanaryco · patel-bhavin · Oct 27, 2023 · Oct 13, 2023 · Oct 14, 2023 · Oct 16, 2023
diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
@@ -924,3 +924,18 @@ atomic_tests:
       echo "If test successfully ran, no cleanup required."
     name: bash
     elevation_required: false
+- name: Tamper with Defender ATP on Linux/MacOS
+  description: |
+    With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
+  supported_platforms:
+  - linux
+  - macos
+  executor:
+    command: |
+      sudo mdatp config real-time-protection --value disabled
+    cleanup_command: |
+      sudo mdatp config real-time-protection --value enabled
+    name: sh
+    elevation_required: true
+
+