diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 98985ad8..be5377bc 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -210,9 +210,9 @@ atomic_tests: - description: | sysmon must be Installed prereq_command: | - if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } + if(sc.exe query | findstr sysmon) { exit 0 } else { exit 1 } get_prereq_command: | - if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else + if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { sysmon -accepteula -i } else { & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i} - description: | sysmon filter must be loaded @@ -220,20 +220,27 @@ atomic_tests: if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } get_prereq_command: | if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){ - & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u + & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u force & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i }else{ - sysmon -u - sysmon -accepteula -i + Get-Service -Name Sysmon* | ForEach-Object { + & "$($_.Name)" -u force + & "$($_.Name)" -accepteula -i + } } executor: command: | fltmc.exe unload #{sysmon_driver} cleanup_command: | - sysmon -u -i > nul 2>&1 - sysmon -i -accepteula -i > nul 2>&1 - "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u > nul 2>&1 - "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i > nul 2>&1 + if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){ + & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u force + & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i + }else{ + Get-Service -Name Sysmon* | ForEach-Object { + & "$($_.Name)" -u force + & "$($_.Name)" -accepteula -i + } + } name: command_prompt elevation_required: true - name: Uninstall Sysmon @@ -252,7 +259,7 @@ atomic_tests: - description: | Sysmon executable must be available prereq_command: | - if(cmd /c where sysmon) {exit 0} else {exit 1} + if(cmd /c where.exe sysmon*) {exit 0} else {exit 1} get_prereq_command: | $parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip" New-Item -ItemType Directory $parentpath -Force | Out-Null @@ -262,15 +269,33 @@ atomic_tests: - description: | Sysmon must be installed prereq_command: | - if(cmd /c sc query sysmon) { exit 0} else { exit 1} + if( cmd /c 'sc.exe query | findstr "sysmon"') { exit 0} else { exit 1} get_prereq_command: | - cmd /c sysmon -i -accepteula + if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){ + & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i + }else{ + Get-Service -Name Sysmon* | ForEach-Object { + & "$($_.Name)" -accepteula -i + } + } executor: command: | - sysmon -u + if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){ + & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u force + }else{ + Get-Service -Name Sysmon* | ForEach-Object { + & "$($_.Name)" -u force + } + } cleanup_command: | - sysmon -i -accepteula >nul 2>&1 - name: command_prompt + if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){ + & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i + }else{ + Get-Service -Name Sysmon* | ForEach-Object { + & "$($_.Name)" -accepteula -i + } + } + name: powershell elevation_required: true - name: AMSI Bypass - AMSI InitFailed auto_generated_guid: 695eed40-e949-40e5-b306-b4031e4154bd