security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clean up : Added "-ErrorAction Ignore" to remove error for file not created (#777)

Browse Source 
* show executor and privilege requirement

* added an atomic to add c2 domain under trusted zoneMap

* corrected typos

* modified adding a domain by creating one the key is not there

* moved registry modification atomic under T1112

* updated local execution file to be current

* corrected typos

* corrected typos

* added suppression for file not found in clean up

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
san-gwea
2020-01-17 17:53:50 -06:00
committed by Carrie Roberts
parent a526aa7729
commit 413aa26cac
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1037/T1037.yaml
+5 -5
View File
@@ -28,8 +28,8 @@ atomic_tests:
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
cleanup_command: |
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
del #{script_path}
del "%USERPROFILE%\desktop\T1037-log.txt"
del #{script_path} >nul 2>nul
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
- name: Startup Folder Script
description: |
@@ -56,9 +56,9 @@ atomic_tests:
New-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" -force
Set-Content "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "cmd /c #{system_command}"
cleanup_command: |
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
Remove-Item "$env:USERPROFILE\desktop\T1037-log.txt"
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" -ErrorAction Ignore
Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" -ErrorAction Ignore
Remove-Item "$env:USERPROFILE\desktop\T1037-log.txt" -ErrorAction Ignore
- name: Scheduled Task Startup Script
description: |
atomics/T1088/T1088.yaml
+2 -2
View File
@@ -91,7 +91,7 @@ atomic_tests:
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"
cleanup_command: |
Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse
Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore
- name: Bypass UAC using ComputerDefaults - PowerShell
description: |
@@ -139,4 +139,4 @@ atomic_tests:
mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
cleanup_command: |
rd "\\?\C:\Windows \" /S /Q
del "c:\testbypass.exe"
del "c:\testbypass.exe" >nul 2>nul