From b2043cdf3edd76902df0a422bcbcecdc6623a692 Mon Sep 17 00:00:00 2001 From: Kevin2755 <98421735+Kevin2755@users.noreply.github.com> Date: Tue, 25 Jan 2022 13:19:07 -0600 Subject: [PATCH] Application uninstall using WMIC (#1741) --- atomics/T1047/T1047.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml index f8455405..f420f019 100644 --- a/atomics/T1047/T1047.yaml +++ b/atomics/T1047/T1047.yaml @@ -180,3 +180,30 @@ atomic_tests: cleanup_command: |- taskkill /f /im calculator.exe name: powershell +- name: Application uninstall using WMIC + description: Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products. + supported_platforms: + - windows + input_arguments: + node: + description: Computer the action is being executed against but defaults to the localhost. + type: string + default: 127.0.0.1 + product: + description: Enter the product name being uninstalled. This will default to TightVNC. + type: String + default: Tightvnc + dependency_executor_name: powershell + dependencies: + - description: TightVNC must be installed. + prereq_command: if ((Test-Path "C:\Program Files\TightVNC\tvnviewer.exe")-Or (Test-Path "C:\Program Files (x86)\TightVNC\tvnviewer.exe")) {exit 0} else {exit 1} + get_prereq_command: |- + Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile C:\AtomicRedTeam\atomics\T1047\bin\tightvncinstaller.msi + start-sleep -s 10 + msiexec /i C:\AtomicRedTeam\atomics\T1047\bin\tightvncinstaller.msi /qn /norestart + start-sleep -s 15 + executor: + command: wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall + cleanup_command: msiexec /i C:\AtomicRedTeam\atomics\T1047\bin\tightvncinstaller.msi /qn /norestart + name: command_prompt + elevation_required: true