deploy: 3b928a1

index.md

@@ -41,7 +41,7 @@ Caution: a test can generate a lot of noise...
 
 [Tamper with Windows Defender Evade Scanning -Extension](tests/315f4be6-2240-4552-b3e1-d1047f5eecea.md) ['windows'] (sigma rule :heavy_check_mark:)
 
-[Tamper with Windows Defender Registry - Powershell](tests/a72cfef8-d252-48b3-b292-635d332625c3.md) ['windows'] (sigma rule :x:)
+[Tamper with Windows Defender Registry - Powershell](tests/a72cfef8-d252-48b3-b292-635d332625c3.md) ['windows'] (sigma rule :heavy_check_mark:)
 
 [Stop Crowdstrike Falcon on Linux](tests/828a1278-81cc-4802-96ab-188bf29ca77d.md) ['linux'] (sigma rule :x:)
 
@@ -57,7 +57,7 @@ Caution: a test can generate a lot of noise...
 
 [Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell](tests/5e27f36d-5132-4537-b43b-413b0d5eec9a.md) ['windows'] (sigma rule :heavy_check_mark:)
 
-[Disable Hypervisor-Enforced Code Integrity (HVCI)](tests/70bd71e6-eba4-4e00-92f7-617911dbe020.md) ['windows'] (sigma rule :x:)
+[Disable Hypervisor-Enforced Code Integrity (HVCI)](tests/70bd71e6-eba4-4e00-92f7-617911dbe020.md) ['windows'] (sigma rule :heavy_check_mark:)
 
 [Tamper with Defender ATP on Linux/MacOS](tests/40074085-dbc8-492b-90a3-11bcfc52fda8.md) ['linux', 'macos'] (sigma rule :x:)
 
@@ -85,7 +85,7 @@ Caution: a test can generate a lot of noise...
 
 [Tamper with Windows Defender ATP using Aliases - PowerShell](tests/c531aa6e-9c97-4b29-afee-9b7be6fc8a64.md) ['windows'] (sigma rule :heavy_check_mark:)
 
-[Tamper with Windows Defender Registry - Reg.exe](tests/1f6743da-6ecc-4a93-b03f-dc357e4b313f.md) ['windows'] (sigma rule :x:)
+[Tamper with Windows Defender Registry - Reg.exe](tests/1f6743da-6ecc-4a93-b03f-dc357e4b313f.md) ['windows'] (sigma rule :heavy_check_mark:)
 
 [Tamper with Windows Defender Registry](tests/1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45.md) ['windows'] (sigma rule :heavy_check_mark:)
 
@@ -519,7 +519,7 @@ Caution: a test can generate a lot of noise...
 
 [UACME Bypass Method 56](tests/235ec031-cd2d-465d-a7ae-68bab281e80e.md) ['windows'] (sigma rule :heavy_check_mark:)
 
-[Disable ConsentPromptBehaviorAdmin via registry keys](tests/a768aaa2-2442-475c-8990-69cf33af0f4e.md) ['windows'] (sigma rule :x:)
+[Disable ConsentPromptBehaviorAdmin via registry keys](tests/a768aaa2-2442-475c-8990-69cf33af0f4e.md) ['windows'] (sigma rule :heavy_check_mark:)
 
 [Bypass UAC using Event Viewer (cmd)](tests/5073adf8-9a50-4bd9-b298-a9bd2ead8af9.md) ['windows'] (sigma rule :heavy_check_mark:)
 
@@ -1615,7 +1615,7 @@ Caution: a test can generate a lot of noise...
 
 
 ### T1562.010
-[PowerShell Version 2 Downgrade](tests/47c96489-2f55-4774-a6df-39faff428f6f.md) ['windows'] (sigma rule :x:)
+[PowerShell Version 2 Downgrade](tests/47c96489-2f55-4774-a6df-39faff428f6f.md) ['windows'] (sigma rule :heavy_check_mark:)
 
 [ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI](tests/14d55b96-b2f5-428d-8fed-49dc4d9dd616.md) ['linux'] (sigma rule :x:)
 
@@ -3089,7 +3089,7 @@ Caution: a test can generate a lot of noise...
 
 
 ### T1553.003
-[SIP (Subject Interface Package) Hijacking via Custom DLL](tests/e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675.md) ['windows'] (sigma rule :x:)
+[SIP (Subject Interface Package) Hijacking via Custom DLL](tests/e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675.md) ['windows'] (sigma rule :heavy_check_mark:)
 
 
 ### T1003.003

index2.md

@@ -2815,6 +2815,8 @@
 * proc_creation_win_powershell_disable_defender_av_security_monitoring.yml
   * T1562.001 [Tamper with Windows Defender Command Prompt](tests/aa875ed4-8935-47e2-b2c5-6ec00ab220d2.md)
   * T1562.001 [Disable Defender Using NirSoft AdvancedRun](tests/81ce22fd-9612-4154-918e-8a1f285d214d.md)
+* proc_creation_win_powershell_downgrade_attack.yml
+  * T1562.010 [PowerShell Version 2 Downgrade](tests/47c96489-2f55-4774-a6df-39faff428f6f.md)
 * proc_creation_win_powershell_download_cradles.yml
   * T1555.003 [WinPwn - Loot local Credentials - mimi-kittenz](tests/ec1d0b37-f659-4186-869f-31a554891611.md)
   * T1082 [WinPwn - Morerecon](tests/3278b2f6-f733-4875-9ef4-bfed34244f0a.md)
@@ -3265,6 +3267,7 @@
   * T1518 [Find and Display Internet Explorer Browser Version](tests/68981660-6670-47ee-a5fa-7e74806420a4.md)
 * proc_creation_win_reg_susp_paths.yml
   * T1562.001 [LockBit Black - Use Registry Editor to turn on automatic logon -cmd](tests/9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70.md)
+  * T1562.001 [Tamper with Windows Defender Registry - Reg.exe](tests/1f6743da-6ecc-4a93-b03f-dc357e4b313f.md)
   * T1112 [Ursnif Malware Registry Key Creation](tests/c375558d-7c25-45e9-bd64-7b23a97c1db0.md)
   * T1562.001 [LockBit Black - Disable Privacy Settings Experience Using Registry -cmd](tests/d6d22332-d07d-498f-aea0-6139ecb7850e.md)
 * proc_creation_win_regedit_export_keys.yml
@@ -3278,13 +3281,17 @@
 * proc_creation_win_regsvr32_flags_anomaly.yml
   * T1218.010 [Regsvr32 remote COM scriptlet execution](tests/c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36.md)
   * T1218.010 [Regsvr32 local COM scriptlet execution](tests/449aa403-6aba-47ce-8a37-247d21ef0306.md)
+* proc_creation_win_regsvr32_susp_exec_path_2.yml
+  * T1553.003 [SIP (Subject Interface Package) Hijacking via Custom DLL](tests/e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675.md)
 * proc_creation_win_regsvr32_susp_extensions.yml
   * T1218.010 [Regsvr32 Silent DLL Install Call DllRegisterServer](tests/9d71c492-ea2e-4c08-af16-c6994cdf029f.md)
   * T1218.010 [Regsvr32 Registering Non DLL](tests/1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421.md)
   * T1218.010 [Regsvr32 remote COM scriptlet execution](tests/c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36.md)
   * T1218.010 [Regsvr32 local DLL execution](tests/08ffca73-9a3d-471a-aeb0-68b4aa3ab37b.md)
   * T1564.006 [Register Portable Virtualbox](tests/c59f246a-34f8-4e4d-9276-c295ef9ba0dd.md)
   * T1218.010 [Regsvr32 local COM scriptlet execution](tests/449aa403-6aba-47ce-8a37-247d21ef0306.md)
+* proc_creation_win_regsvr32_susp_parent.yml
+  * T1553.003 [SIP (Subject Interface Package) Hijacking via Custom DLL](tests/e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675.md)
 * proc_creation_win_regsvr32_uncommon_extension.yml
   * T1218.010 [Regsvr32 Registering Non DLL](tests/1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421.md)
 * proc_creation_win_remote_access_tools_anydesk.yml
@@ -4002,6 +4009,8 @@
   * T1562.001 [Tamper with Windows Defender Evade Scanning -Process](tests/a123ce6a-3916-45d6-ba9c-7d4081315c27.md)
   * T1562.001 [Tamper with Windows Defender Evade Scanning -Extension](tests/315f4be6-2240-4552-b3e1-d1047f5eecea.md)
   * T1562.001 [Tamper with Windows Defender Evade Scanning -Folder](tests/0b19f4ee-de90-4059-88cb-63c800c683ed.md)
+* registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml
+  * T1562.001 [Disable Hypervisor-Enforced Code Integrity (HVCI)](tests/70bd71e6-eba4-4e00-92f7-617911dbe020.md)
 * registry_set_disable_administrative_share.yml
   * T1070.005 [Disable Administrative Share Creation at Startup](tests/99c657aa-ebeb-4179-a665-69288fdd12b8.md)
 * registry_set_disable_defender_firewall.yml
@@ -4013,6 +4022,7 @@
   * T1112 [Disable Windows Task Manager application](tests/af254e70-dd0e-4de6-9afe-a994d9ea8b62.md)
   * T1112 [Disable Windows Registry Tool](tests/ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8.md)
   * T1548.002 [Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key](tests/251c5936-569f-42f4-9ac2-87a173b9e9b8.md)
+  * T1548.002 [Disable ConsentPromptBehaviorAdmin via registry keys](tests/a768aaa2-2442-475c-8990-69cf33af0f4e.md)
   * T1112 [Disable Windows Toast Notifications](tests/003f466a-6010-4b15-803a-cbb478a314d7.md)
   * T1112 [Disable Windows Lock Workstation Feature](tests/3dacb0d2-46ee-4c27-ac1b-f9886bf91a56.md)
   * T1112 [Disable Windows Change Password Feature](tests/d4a6da40-618f-454d-9a9e-26af552aaeb0.md)
@@ -4115,6 +4125,8 @@
   * T1112 [Activate Windows NoPropertiesMyDocuments Group Policy Feature](tests/20fc9daa-bd48-4325-9aff-81b967a84b1d.md)
   * T1112 [Activate Windows NoSetTaskbar Group Policy Feature](tests/d29b7faf-7355-4036-9ed3-719bd17951ed.md)
   * T1112 [Disable Windows LogOff Button](tests/e246578a-c24d-46a7-9237-0213ff86fb0c.md)
+* registry_set_sip_persistence.yml
+  * T1553.003 [SIP (Subject Interface Package) Hijacking via Custom DLL](tests/e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675.md)
 * registry_set_special_accounts.yml
   * T1564.002 [Create Hidden User in Registry](tests/173126b7-afe4-45eb-8680-fa9f6400431c.md)
   * T1564.002 [Create Hidden User in Registry](tests/173126b7-afe4-45eb-8680-fa9f6400431c.md)
@@ -4138,7 +4150,9 @@
 * registry_set_wdigest_enable_uselogoncredential.yml
   * T1112 [Modify registry to store logon credentials](tests/c0413fb5-33e2-40b7-9b6f-60b29f4a7a18.md)
 * registry_set_windows_defender_tamper.yml
+  * T1562.001 [Tamper with Windows Defender Registry - Powershell](tests/a72cfef8-d252-48b3-b292-635d332625c3.md)
   * T1562.001 [Tamper with Windows Defender ATP using Aliases - PowerShell](tests/c531aa6e-9c97-4b29-afee-9b7be6fc8a64.md)
+  * T1562.001 [Tamper with Windows Defender Registry - Reg.exe](tests/1f6743da-6ecc-4a93-b03f-dc357e4b313f.md)
   * T1562.001 [Tamper with Windows Defender Registry](tests/1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45.md)
 * registry_set_winlogon_notify_key.yml
   * T1547.004 [Winlogon Notify Key Logon Persistence - PowerShell](tests/d40da266-e073-4e5a-bb8b-2b385023e5f9.md)

tests/1f6743da-6ecc-4a93-b03f-dc357e4b313f.md

@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: Impair Defenses: Disable or Modify Tools 
 
@@ -41,6 +41,10 @@ Disable Windows Defender by tampering with windows defender registry using the u
 command_prompt
 
 # Sigma Rule
+ - registry_set_windows_defender_tamper.yml (id: 0eb46774-f1ab-4a74-8238-1155855f2263)
+
+ - proc_creation_win_reg_susp_paths.yml (id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829)
+
 
 
 [back](../index.md)

tests/47c96489-2f55-4774-a6df-39faff428f6f.md

@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: Impair Defenses: Downgrade Attack 
 
@@ -32,6 +32,8 @@ Executes outdated PowerShell Version 2 which does not support security features
 powershell
 
 # Sigma Rule
+ - proc_creation_win_powershell_downgrade_attack.yml (id: b3512211-c67e-4707-bedc-66efc7848863)
+
 
 
 [back](../index.md)

tests/70bd71e6-eba4-4e00-92f7-617911dbe020.md

@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: Impair Defenses: Disable or Modify Tools 
 
@@ -45,6 +45,8 @@ We do not recommend running this in production.
 powershell
 
 # Sigma Rule
+ - registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml (id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a)
+
 
 
 [back](../index.md)

tests/a72cfef8-d252-48b3-b292-635d332625c3.md

@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: Impair Defenses: Disable or Modify Tools 
 
@@ -41,6 +41,8 @@ Disable Windows Defender by tampering with windows defender registry through pow
 powershell
 
 # Sigma Rule
+ - registry_set_windows_defender_tamper.yml (id: 0eb46774-f1ab-4a74-8238-1155855f2263)
+
 
 
 [back](../index.md)

tests/a768aaa2-2442-475c-8990-69cf33af0f4e.md

@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: Abuse Elevation Control Mechanism: Bypass User Account Control 
 
@@ -38,6 +38,8 @@ This atomic regarding setting ConsentPromptBehaviorAdmin to 0 configures the UAC
 command_prompt
 
 # Sigma Rule
+ - registry_set_disable_function_user.yml (id: e2482f8d-3443-4237-b906-cc145d87a076)
+
 
 
 [back](../index.md)

tests/e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675.md

@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: Subvert Trust Controls: SIP and Trust Provider Hijacking 
 
@@ -42,6 +42,12 @@ the system to utilize it during signature checks, and logging said checks.
 command_prompt
 
 # Sigma Rule
+ - proc_creation_win_regsvr32_susp_parent.yml (id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22)
+
+ - proc_creation_win_regsvr32_susp_exec_path_2.yml (id: 327ff235-94eb-4f06-b9de-aaee571324be)
+
+ - registry_set_sip_persistence.yml (id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1)
+
 
 
 [back](../index.md)