Cleanup fixes (#1108)
* Cleanup Fixes * Wrong executor name and missing $ sign in T1553 * Cleanup fixes * File checks added * File path error check changed
This commit is contained in:
Hare Sudhan Muthusamy
committed by
GitHub
GitHub
parent
91d71a722e
commit
02ac2deb4f
@@ -108,7 +108,7 @@ atomic_tests:
|
||||
mkdir #{output_folder}
|
||||
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
|
||||
cleanup_command: |
|
||||
rmdir /q /s #{output_folder}
|
||||
rmdir /q /s #{output_folder} >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
|
||||
|
||||
@@ -79,7 +79,7 @@ atomic_tests:
|
||||
default: "1337"
|
||||
executor:
|
||||
command: netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}
|
||||
cleanup_command: netsh interface portproxy delete v4tov4 listenport=#{listenport}
|
||||
cleanup_command: netsh interface portproxy delete v4tov4 listenport=#{listenport} -ErrorAction Ignore | Out-Null
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
|
||||
@@ -188,7 +188,7 @@ atomic_tests:
|
||||
command: |
|
||||
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
|
||||
cleanup_command: |
|
||||
del #{local_path}
|
||||
del #{local_path} >nul 2>&1
|
||||
name: command_prompt
|
||||
- name: certutil download (verifyctl)
|
||||
auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b
|
||||
|
||||
@@ -28,7 +28,7 @@ atomic_tests:
|
||||
New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
|
||||
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
|
||||
cleanup_command: |
|
||||
Remove-Item $env:TEMP\T1119_powershell_collection -Force | Out-Null
|
||||
Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | Out-Null
|
||||
name: powershell
|
||||
- name: Recon information for export with PowerShell
|
||||
auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26
|
||||
|
||||
@@ -14,9 +14,10 @@ atomic_tests:
|
||||
Start-Process $file1 /S;
|
||||
Start-Process 'C:\Program Files (x86)\TeamViewer\TeamViewer.exe'
|
||||
cleanup_command: |-
|
||||
Start-Process 'C:\Program Files (x86)\TeamViewer\uninstall.exe' "/S"
|
||||
$file = 'C:\Program Files (x86)\TeamViewer\uninstall.exe'
|
||||
if(Test-Path $file){ Start-Process $file "/S" -ErrorAction Ignore | Out-Null }
|
||||
$file1 = "C:\Users\" + $env:username + "\Desktop\TeamViewer_Setup.exe"
|
||||
Remove-Item $file1
|
||||
Remove-Item $file1 -ErrorAction Ignore | Out-Null
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: AnyDesk Files Detected Test on Windows
|
||||
@@ -32,7 +33,7 @@ atomic_tests:
|
||||
Start-Process $file1 /S;
|
||||
cleanup_command: |-
|
||||
$file1 = "C:\Users\" + $env:username + "\Desktop\AnyDesk.exe.exe"
|
||||
Remove-Item $file1
|
||||
Remove-Item $file1 -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: LogMeIn Files Detected Test on Windows
|
||||
@@ -48,9 +49,9 @@ atomic_tests:
|
||||
Start-Process $file1 /S;
|
||||
Start-Process 'C:\Program Files (x86)\LogMeInIgnition\LMIIgnition.exe' "/S"
|
||||
cleanup_command: |-
|
||||
get-package *'LogMeIn Client'* | uninstall-package
|
||||
get-package *'LogMeIn Client'* -ErrorAction Ignore | uninstall-package
|
||||
$file1 = "C:\Users\" + $env:username + "\Desktop\LogMeInIgnition.msi"
|
||||
Remove-Item $file1
|
||||
Remove-Item $file1 -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
|
||||
@@ -61,8 +61,8 @@ atomic_tests:
|
||||
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
|
||||
bcdedit.exe /set {default} recoveryenabled no
|
||||
cleanup_command: |
|
||||
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
|
||||
bcdedit.exe /set {default} recoveryenabled yes
|
||||
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures >nul 2>&1
|
||||
bcdedit.exe /set {default} recoveryenabled yes >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Windows - Delete Volume Shadow Copies via WMI with PowerShell
|
||||
|
||||
@@ -34,8 +34,10 @@ atomic_tests:
|
||||
Enable-TransportAgent #{transport_agent_identity}
|
||||
Get-TransportAgent | Format-List Name,Enabled
|
||||
cleanup_command: |
|
||||
Disable-TransportAgent #{transport_agent_identity}
|
||||
Uninstall-TransportAgent #{transport_agent_identity}
|
||||
Get-TransportAgent
|
||||
if(Get-Command "Get-TransportAgent" -ErrorAction Ignore){
|
||||
Disable-TransportAgent #{transport_agent_identity}
|
||||
Uninstall-TransportAgent #{transport_agent_identity}
|
||||
Get-TransportAgent
|
||||
}
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
@@ -22,6 +22,6 @@ atomic_tests:
|
||||
command: |
|
||||
assoc #{extension_to_change}=#{target_extension_handler}
|
||||
cleanup_command: |
|
||||
assoc .hta=htafile
|
||||
assoc .hta=htafile >nul 2>&1
|
||||
name: command_prompt
|
||||
|
||||
|
||||
@@ -41,6 +41,6 @@ atomic_tests:
|
||||
command: |
|
||||
reg.exe import #{registry_file}
|
||||
cleanup_command: |
|
||||
reg.exe import #{registry_cleanup_file}
|
||||
reg.exe import #{registry_cleanup_file} >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
@@ -36,7 +36,7 @@ atomic_tests:
|
||||
command: |
|
||||
sdbinst.exe #{file_path}
|
||||
cleanup_command: |
|
||||
sdbinst.exe -u #{file_path}
|
||||
sdbinst.exe -u #{file_path} >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: New shim database files created in the default shim database directory
|
||||
|
||||
@@ -39,11 +39,10 @@ atomic_tests:
|
||||
Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
|
||||
START MMC.EXE EVENTVWR.MSC
|
||||
cleanup_command: |
|
||||
Write-Host "Removing registry keys" -ForegroundColor Cyan
|
||||
Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force
|
||||
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force | Out-Null
|
||||
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force | Out-Null
|
||||
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force | Out-Null
|
||||
Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force -ErrorAction Ignore
|
||||
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
|
||||
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
|
||||
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
|
||||
name: powershell
|
||||
- name: COM Hijack Leveraging System Scope COR_PROFILER
|
||||
auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
|
||||
@@ -79,10 +78,9 @@ atomic_tests:
|
||||
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
|
||||
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
|
||||
cleanup_command: |
|
||||
Write-Host "Removing system environment variables" -ForegroundColor Cyan
|
||||
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force | Out-Null
|
||||
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force | Out-Null
|
||||
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force | Out-Null
|
||||
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
|
||||
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
|
||||
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: COM Hijack Leveraging registry-free process scope COR_PROFILER
|
||||
|
||||
@@ -205,8 +205,6 @@ atomic_tests:
|
||||
import-module #{file_path}\timestomp.ps1
|
||||
timestomp -dest "#{file_path}\kxwn.lock"
|
||||
cleanup_command: |-
|
||||
Write-Host "Removing #{file_path}\timestomp.ps1"
|
||||
Remove-Item #{file_path}\timestomp.ps1 -ErrorAction Ignore
|
||||
Write-Host "Removing #{file_path}\kxwn.lock"
|
||||
Remove-Item #{file_path}\kxwn.lock -ErrorAction Ignore
|
||||
name: powershell
|
||||
@@ -107,7 +107,7 @@ atomic_tests:
|
||||
if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }
|
||||
get_prereq_command: |
|
||||
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
|
||||
Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$cert.Thumbprint -FilePath #{pfx_path}
|
||||
Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
|
||||
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
|
||||
executor:
|
||||
command: |
|
||||
@@ -115,7 +115,7 @@ atomic_tests:
|
||||
Move-Item -Path $cert.PSPath -Destination "Cert:\LocalMachine\Root"
|
||||
cleanup_command: |
|
||||
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
|
||||
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
|
||||
Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) | Remove-Item
|
||||
name: command_prompt
|
||||
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
|
||||
Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
@@ -297,7 +297,7 @@ atomic_tests:
|
||||
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Disable Microft Office Security Features
|
||||
- name: Disable Microsoft Office Security Features
|
||||
auto_generated_guid: 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7
|
||||
description: |
|
||||
Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
|
||||
@@ -317,8 +317,8 @@ atomic_tests:
|
||||
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
|
||||
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"
|
||||
cleanup_command: |
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings"
|
||||
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
|
||||
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore
|
||||
name: powershell
|
||||
- name: Remove Windows Defender Definition Files
|
||||
auto_generated_guid: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68
|
||||
|
||||
@@ -17,5 +17,7 @@ atomic_tests:
|
||||
command: |
|
||||
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
|
||||
cleanup_command: |
|
||||
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false
|
||||
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
|
||||
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
|
||||
}
|
||||
name: powershell
|
||||
@@ -31,7 +31,7 @@ atomic_tests:
|
||||
command: |
|
||||
netsh advfirewall set currentprofile state off
|
||||
cleanup_command: |
|
||||
netsh advfirewall set currentprofile state on
|
||||
netsh advfirewall set currentprofile state on >nul 2>&1
|
||||
name: command_prompt
|
||||
- name: Allow SMB and RDP on Microsoft Defender Firewall
|
||||
auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1
|
||||
@@ -45,7 +45,7 @@ atomic_tests:
|
||||
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
|
||||
netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes
|
||||
cleanup_command: |
|
||||
netsh advfirewall reset
|
||||
netsh advfirewall reset >nul 2>&1
|
||||
name: command_prompt
|
||||
- name: Opening ports for proxy - HARDRAIN
|
||||
auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80
|
||||
@@ -58,6 +58,6 @@ atomic_tests:
|
||||
executor:
|
||||
command: |
|
||||
netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450
|
||||
cleanup_command: netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450
|
||||
cleanup_command: netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
|
||||
Reference in New Issue
Block a user