security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1002-T1049_Cleanup (#930)

Browse Source 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
tlor89
2020-04-06 18:05:47 -05:00
committed by GitHub
parent 86c332859d
commit 5d41e4168e
4 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1015/T1015.yaml
+2 -2
View File
@@ -47,5 +47,5 @@ atomic_tests:
Foreach ($item in $input_table)
{
$item = $item.trim()
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f
}
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f | Out-Null
}
atomics/T1031/T1031.yaml
+1 -1
View File
@@ -20,4 +20,4 @@ atomic_tests:
sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
sc start Fax
cleanup_command:
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
atomics/T1037/T1037.yaml
+3 -3
View File
@@ -26,7 +26,7 @@ atomic_tests:
echo "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
cleanup_command: |
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
del #{script_path} >nul 2>&1
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
@@ -43,8 +43,8 @@ atomic_tests:
schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
cleanup_command: |
schtasks /delete /tn "T1037_OnLogon" /f
schtasks /delete /tn "T1037_OnStartup" /f
schtasks /delete /tn "T1037_OnLogon" /f >nul 2>&1
schtasks /delete /tn "T1037_OnStartup" /f >nul 2>&1
- name: Logon Scripts - Mac
description: |
atomics/T1047/T1047.yaml
+3 -3
View File
@@ -81,7 +81,7 @@ atomic_tests:
command: |
wmic process call create #{process_to_execute}
cleanup_command: |
wmic process where name='#{process_to_execute}' delete
wmic process where name='#{process_to_execute}' delete >nul 2>&1
- name: WMI Execute Remote Process
description: |
@@ -106,5 +106,5 @@ atomic_tests:
command: |
wmic /node:"#{node}" process call create #{process_to_execute}
cleanup_command: |
wmic /node:"#{node}" process where name='#{process_to_execute}' delete
wmic /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1