Problem & Solution: ERROR executing T1562.001-27 | Atomic Test Name: Disable Windows Defender with DISM

[sayandip-chatterjee]

atomic-red-team/atomics/T1562.001/T1562.001.yaml

Line 560 in 47c80ca

- name: Disable Windows Defender with DISM

What did you do?

ℹ Please replace this with what you did.
Ran atomic test case : T1562.001-27

What did you expect to happen?

ℹ Please replace this with what you expected to happen.
Thought the test case will be successfully executed

What happened instead?

ℹ Please replace this with of what happened instead.

Executing test: T1562.001-27 Disable Windows Defender with DISM Error: 0x800f080c Feature name Windows-Defender is unknown. A Windows feature name was not recognized. Use the /Get-Features option to find the name of the feature in the image and try the command again. Exit code: -2146498548 Done executing test: T1562.001-27 Disable Windows Defender with DISM

Your Environment

• Which specific operating system are you running (e.g. Windows 7 SP1 32-bit)? Windows11
• Did you run the test from an elevated or root prompt? Yes, powershell as admin
• If relevant, which atomic test is this specific to? T1562.001-27

Possible Solution:

Error 0x800f080c = “Feature name not recognized” — the specified feature doesn’t exist in your system image.

In modern Windows 10/11 builds (and Windows Server 2019/2022), Windows Defender is now part of the Microsoft Defender Antivirus component — it’s integrated and not managed through DISM anymore.
DISM no longer lists a feature literally named Windows-Defender.

To check the actual Defender-related features available, run:
dism /online /Get-Features | findstr /I "Defender"
dism /online /Get-Features | Select-String "Defender"

Typical valid Defender-related features you might see include:

However, note:

None of these control the core antivirus service anymore.
The antivirus is managed by:
Set-MpPreference PowerShell cmdlets
or via Group Policy / Registry
or via Windows Security settings.

If your goal is to simulate disabling Defender (e.g., for Atomic Red Team T1562.001-27):

Use this updated PowerShell-based test instead of DISM:
Set-MpPreference -DisableRealtimeMonitoring $true

That correctly disables real-time protection (with admin rights) and aligns with the MITRE test intent.

[sayandip-chatterjee]

I wanted to raise a PR for the fix but could not so here’s a safe, ready-to-run Atomic-style simulation for T1562.001-27 (Disable Windows Defender with DISM — updated for modern Windows):

Important: Run these in a controlled test environment with admin rights. Don’t run on production endpoints. Modern Windows may have Tamper Protection or cloud protections that prevent permanent disabling.

Test (simulate disabling real-time Defender)

Run as Administrator in PowerShell:

# Check current status first
Get-MpComputerStatus | Select-Object AMServiceEnabled,AMServiceVersion,AntispywareEnabled,RealTimeProtectionEnabled,FullScanAge

# Disable real-time protection (simulation)
Set-MpPreference -DisableRealtimeMonitoring $true

• Set-MpPreference -DisableRealtimeMonitoring $true will disable real-time monitoring (what testers commonly use to simulate Defender being turned off).
• This aligns with the intent of the MITRE test (disabling detection capability) without using DISM, which no longer controls the core AV service on modern Windows.

Verify the effect:

# Verify real-time protection flag
Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled,AntispywareEnabled,AMServiceEnabled

# Also check the Defender preferences
Get-MpPreference | Select-Object DisableRealtimeMonitoring,HighThreatDefaultAction,ThreatDefaultAction

• RealTimeProtectionEnabled should flip to False if the change succeeded.

Revert / Cleanup (very important)

# Re-enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false

# Verify re-enabled
Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled

Notes & gotchas

• Must run as Administrator.
• Tamper Protection (Windows Security → Virus & threat protection → Manage settings) prevents programmatic disabling of Defender in many builds/organisations. If Tamper Protection is ON, Set-MpPreference may appear to succeed but Defender will re-enable or the cmdlet will be blocked. Tamper Protection is a user/tenant-level setting and is intentionally hard to change via script.
• Cloud-delivered protection / endpoint management (Microsoft Defender for Endpoint / Intune / Group Policy) can also re-enable protections automatically.
• DISM error Feature name Windows-Defender is unknown is expected — DISM no longer controls the core antivirus component on modern Windows.
• For a clean Atomic test case, include both the disable command and the revert command so automated test harnesses always restore the system.

Example atomic-style test entry (pseudo)

# atomic test: T1562.001-27 (modern simulation)
Invoke-AtomicTest T1562.001 -Steps @{
  1 = @{
    Name = "Disable Defender realtime (simulation)"
    Command = "powershell -Command Set-MpPreference -DisableRealtimeMonitoring `$true"
    RunAsAdmin = $true
  }
  2 = @{
    Name = "Verify"
    Command = "powershell -Command Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled"
  }
  Cleanup = @{
    Command = "powershell -Command Set-MpPreference -DisableRealtimeMonitoring `$false"
  }
}