security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1027 t1053 cleanup errors (#828)

Browse Source 
* fixed

* T1027-T1053_CleanupErrors

* T1027-T1053_CleanupErrors(2)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
tlor89
2020-02-10 12:29:45 -06:00
committed by GitHub
parent d5a32b161c
commit 4c35cdb5ff
4 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1027/T1027.yaml
+1 -1
View File
@@ -73,4 +73,4 @@ atomic_tests:
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
cleanup_command: |
Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}
atomics/T1036/T1036.yaml
+2 -2
View File
@@ -106,7 +106,7 @@ atomic_tests:
$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036
cleanup_command: |
del #{outputfile}
Remove-Item #{outputfile} -Force -ErrorAction Ignore
- name: Masquerading - windows exe running as different windows exe
description: |
@@ -133,7 +133,7 @@ atomic_tests:
$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036
cleanup_command: |
del #{outputfile}
Remove-Item #{outputfile} -Force -ErrorAction Ignore
- name: Malicious process Masquerading as LSM.exe
description: |
atomics/T1050/T1050.yaml
+4 -3
View File
@@ -48,8 +48,9 @@ atomic_tests:
name: powershell
elevation_required: true
command: |
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" 2>&1 | Out-Null
Start-Service -Name "#{service_name}"
cleanup_command: |
Stop-Service -Name "#{service_name}"
(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()
Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
catch {}
atomics/T1053/T1053.yaml
+1 -1
View File
@@ -87,4 +87,4 @@ atomic_tests:
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
cleanup_command: |
Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1