From f2fbeb18ed2f43f0f9edbcdec1f2f1cbf64ed14e Mon Sep 17 00:00:00 2001
From: san-gwea <57334373+san-gwea@users.noreply.github.com>
Date: Sat, 18 Jan 2020 23:09:07 -0600
Subject: [PATCH] T1003 rm (#778)

* show executor and privilege requirement

* added an atomic to add c2 domain under trusted zoneMap

* corrected typos

* modified adding a domain by creating one the key is not there

* moved registry modification atomic under T1112

* updated local execution file to be current

* corrected typos

* replaced rm by del for tests with executor as command_prompt

* changing rm to del for command_prompt

* Update T1102.yaml

* Update T1112.yaml

my local repo was behind. This file wasn't changed this time.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1003/T1003.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml
index fe9d84bc1..40f327306 100644
--- a/atomics/T1003/T1003.yaml
+++ b/atomics/T1003/T1003.yaml
@@ -76,9 +76,9 @@ atomic_tests:
       reg save HKLM\system "#{output_folder}\system"
       reg save HKLM\security "#{output_folder}\security"
     cleanup_command: |
-      rm "#{output_folder}\sam"
-      rm "#{output_folder}\system"
-      rm "#{output_folder}\security"
+      del "#{output_folder}\sam"       >nul 2> nul
+      del "#{output_folder}\system"    >nul 2> nul
+      del "#{output_folder}\security"  >nul 2> nul
 
 - name: Dump LSASS.exe Memory using ProcDump
   description: |
@@ -104,7 +104,7 @@ atomic_tests:
     command: |
       #{procdump_binary_path} -accepteula -ma lsass.exe #{output_file}
     cleanup_command: |
-      rm "#{output_file}"
+      del "#{output_file}" >nul 2> nul
 
 - name: Dump LSASS.exe Memory using Windows Task Manager
   description: |
@@ -221,9 +221,9 @@ atomic_tests:
       copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
       reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
     cleanup_command: |
-      rm "#{extract_path}\ntds.dit"
-      rm "#{extract_path}\VSC_SYSTEM_HIVE"
-      rm "#{extract_path}\SYSTEM_HIVE"
+      del "#{extract_path}\ntds.dit"        >nul 2> nul
+      del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
+      del "#{extract_path}\SYSTEM_HIVE"     >nul 2> nul
 
 - name: GPP Passwords (findstr)
   description: |