diff --git a/atomics/T1084/T1084.md b/atomics/T1084/T1084.md
index 3f489540..e6cbb3df 100644
--- a/atomics/T1084/T1084.md
+++ b/atomics/T1084/T1084.md
@@ -6,8 +6,6 @@
- [Atomic Test #1 - Persistence](#atomic-test-1---persistence)
-- [Atomic Test #2 - Persistence Cleanup](#atomic-test-2---persistence-cleanup)
-
@@ -45,23 +43,7 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa
```
-
-
-
-
-## Atomic Test #2 - Persistence Cleanup
-Run from an administrator powershell window
-
-Code references
-
-https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
-
-https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
-
-**Supported Platforms:** Windows
-
-
-#### Run it with `powershell`!
+#### Cleanup Commands:
```
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
@@ -72,6 +54,4 @@ $EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
```
-
-
diff --git a/atomics/T1090/T1090.md b/atomics/T1090/T1090.md
index 783d1029..91125021 100644
--- a/atomics/T1090/T1090.md
+++ b/atomics/T1090/T1090.md
@@ -16,10 +16,6 @@ The network may be within a single organization or across organizations with tru
## Atomic Test #1 - Connection Proxy
Enable traffic redirection.
-To undo changes made by this test:
- unset http_proxy
- unset https_proxy
-
Note that this test may conflict with pre-existing system configuration.
**Supported Platforms:** macOS, Linux
@@ -37,5 +33,10 @@ export #{proxy_scheme}_proxy=#{proxy_server}
```
+#### Cleanup Commands:
+```
+unset http_proxy
+unset https_proxy
+```
diff --git a/atomics/T1122/T1122.md b/atomics/T1122/T1122.md
index 3d7365ea..27ec3c96 100644
--- a/atomics/T1122/T1122.md
+++ b/atomics/T1122/T1122.md
@@ -19,9 +19,12 @@ Hijack COM Object used by certutil.exe
```
reg import ..\src\COMHijack.reg
certutil.exe -CAInfo
-reg import ..\src\COMHijackCleanup.reg
```
+#### Cleanup Commands:
+```
+reg import ..\src\COMHijackCleanup.reg
+```
diff --git a/atomics/T1165/T1165.md b/atomics/T1165/T1165.md
index c0b0ce99..985c25e7 100644
--- a/atomics/T1165/T1165.md
+++ b/atomics/T1165/T1165.md
@@ -45,11 +45,13 @@ Establish persistence via a rule run by emond daemon at startup, based on https:
```
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
sudo touch /private/var/db/emondClients/T1165
-#Clean up
+```
+
+
+#### Cleanup Commands:
+```
sudo rm /etc/emond.d/rules/T1165_emond.plist
sudo rm /private/var/db/emondClients/T1165
```
-
-
diff --git a/atomics/T1501/T1501.md b/atomics/T1501/T1501.md
index c0b06a0d..ff296f22 100644
--- a/atomics/T1501/T1501.md
+++ b/atomics/T1501/T1501.md
@@ -16,8 +16,6 @@ While adversaries typically require root privileges to create/modify service uni
- [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service)
-- [Atomic Test #2 - Cleanup Systemd Test](#atomic-test-2---cleanup-systemd-test)
-
@@ -61,23 +59,7 @@ systemctl start #{systemd_service_file}
```
-
-
-
-
-## Atomic Test #2 - Cleanup Systemd Test
-This cleans up the remnants of the SystemD service unit file creation test.
-
-**Supported Platforms:** Linux
-
-
-#### Inputs
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| systemd_service_path | Path to systemd service unit file | Path | /etc/systemd/system|
-| systemd_service_file | File name of systemd service unit file | String | art-systemd-service.service|
-
-#### Run it with `bash`!
+#### Cleanup Commands:
```
systemctl stop #{systemd_service_file}
systemctl disable #{systemd_service_file}
@@ -85,6 +67,4 @@ rm -rf #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
```
-
-
diff --git a/atomics/index.md b/atomics/index.md
index ce2d8ec9..70e608d7 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -126,7 +126,6 @@
- T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1501 Systemd Service](./T1501/T1501.md)
- Atomic Test #1: Create Systemd Service [linux]
- - Atomic Test #2: Cleanup Systemd Test [linux]
- T1209 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
@@ -135,7 +134,6 @@
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- - Atomic Test #2: Persistence Cleanup [windows]
- [T1004 Winlogon Helper DLL](./T1004/T1004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index fc98f3cb..6547b4d8 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -1131,7 +1131,9 @@ persistence:
command: |
reg import ..\src\COMHijack.reg
certutil.exe -CAInfo
- reg import ..\src\COMHijackCleanup.reg
+ cleanup_command: 'reg import ..\src\COMHijackCleanup.reg
+
+'
T1136:
technique:
external_references:
@@ -3758,7 +3760,7 @@ persistence:
command: |
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
sudo touch /private/var/db/emondClients/T1165
- #Clean up
+ cleanup_command: |
sudo rm /etc/emond.d/rules/T1165_emond.plist
sudo rm /private/var/db/emondClients/T1165
T1501:
@@ -3915,25 +3917,7 @@ persistence:
systemctl daemon-reload
systemctl enable #{systemd_service_file}
systemctl start #{systemd_service_file}
- - name: Cleanup Systemd Test
- description: 'This cleans up the remnants of the SystemD service unit file creation
- test.
-
-'
- supported_platforms:
- - linux
- input_arguments:
- systemd_service_path:
- description: Path to systemd service unit file
- type: Path
- default: "/etc/systemd/system"
- systemd_service_file:
- description: File name of systemd service unit file
- type: String
- default: art-systemd-service.service
- executor:
- name: bash
- command: |
+ cleanup_command: |
systemctl stop #{systemd_service_file}
systemctl disable #{systemd_service_file}
rm -rf #{systemd_service_path}/#{systemd_service_file}
@@ -4149,8 +4133,7 @@ persistence:
executor:
name: powershell
elevation_required: true
- command: |2
-
+ command: |
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
@@ -4166,21 +4149,7 @@ persistence:
Consumer = [Ref] $Consumer;
}
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
- - name: Persistence Cleanup
- description: |
- Run from an administrator powershell window
-
- Code references
-
- https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
-
- https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
- supported_platforms:
- - windows
- executor:
- name: powershell
- command: |2
-
+ cleanup_command: |
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
@@ -5324,7 +5293,9 @@ defense-evasion:
command: |
reg import ..\src\COMHijack.reg
certutil.exe -CAInfo
- reg import ..\src\COMHijackCleanup.reg
+ cleanup_command: 'reg import ..\src\COMHijackCleanup.reg
+
+'
T1196:
technique:
external_references:
@@ -11941,7 +11912,7 @@ privilege-escalation:
command: |
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
sudo touch /private/var/db/emondClients/T1165
- #Clean up
+ cleanup_command: |
sudo rm /etc/emond.d/rules/T1165_emond.plist
sudo rm /private/var/db/emondClients/T1165
T1169:
@@ -21188,10 +21159,6 @@ command-and-control:
description: |
Enable traffic redirection.
- To undo changes made by this test:
- unset http_proxy
- unset https_proxy
-
Note that this test may conflict with pre-existing system configuration.
supported_platforms:
- macos
@@ -21210,6 +21177,9 @@ command-and-control:
command: 'export #{proxy_scheme}_proxy=#{proxy_server}
'
+ cleanup_command: |-
+ unset http_proxy
+ unset https_proxy
T1132:
technique:
external_references:
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index d3147144..3a84916c 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -29,7 +29,6 @@
- Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
- [T1501 Systemd Service](./T1501/T1501.md)
- Atomic Test #1: Create Systemd Service [linux]
- - Atomic Test #2: Cleanup Systemd Test [linux]
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 815c7e2b..2da9ad9a 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -272,7 +272,6 @@
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- - Atomic Test #2: Persistence Cleanup [windows]
- [T1004 Winlogon Helper DLL](./T1004/T1004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]