From 1cb761c5a0196d2b97d8a9c93e09f18e4ae1a027 Mon Sep 17 00:00:00 2001 From: Alphonsa George <54078658+alphonsa-01@users.noreply.github.com> Date: Thu, 13 Jun 2024 17:07:09 -0500 Subject: [PATCH] Modified the Prereq_command of Test Unload Sysmon Filter Driver (#2807) * Modified the Prereq_command of Test Unload Sysmon Filter Driver * modified typo on the description --------- Co-authored-by: alphonsa-01 --- atomics/T1562.001/T1562.001.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 3b7f7173..93c44662 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -188,7 +188,7 @@ atomic_tests: - name: Unload Sysmon Filter Driver auto_generated_guid: 811b3e76-c41b-430c-ac0d-e2380bfaa164 description: | - Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, + Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded". supported_platforms: - windows @@ -202,7 +202,7 @@ atomic_tests: - description: | Sysmon must be downloaded prereq_command: | - if (-not (cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe")) { exit 0 } else { exit 1 } + if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr /i Sysmon 2> nul") -or (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe")) { exit 0 } else { exit 1 } get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip"