Update T1112.yaml (#2774)

* Update T1112.yaml Add new test Disable Windows Prefetch Through Registry * fix spacing --------- Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
redcanaryco · May 10, 2024 · 5f866ca · 5f866ca
1 parent 56b0e29
commit 5f866ca
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
@@ -1087,3 +1087,15 @@ atomic_tests:
     cleanup_command: 'if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)'
     name: command_prompt
     elevation_required: true   
+- name: Disable Windows Prefetch Through Registry 
+  description: |
+    Modify the registry of the machine to disable prefetch. Disabling prefetch will remove one artifact for evidence of application execution. Restart is required post modification
+  supported_platforms:
+  - windows
+  executor:
+    command: | 
+       reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 0 /f
+    cleanup_command: |
+       reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 3 /f
+    name: command_prompt
+    elevation_required: true