T1107 description updates, remove duplicate tests (#921)

* random powershell errors :( * remove tests that are already in T1490 and fit better there * more fixes * finish tests * fix description names * fixes * fixes * fix input arg descriptions Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2020-04-03 09:32:58 -05:00
parent 8e969def85
commit b392694779
1 changed files with 93 additions and 67 deletions
@@ -52,96 +52,111 @@ atomic_tests:

 - name: Delete a single file - Windows cmd
  description: |
-    Delete a single file from the temporary directory using cmd.exe
+    Delete a single file from the temporary directory using cmd.exe.
+    Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
  supported_platforms:
    - windows
+
+  input_arguments:
+    file_to_delete:
+      description: File to delete. Run the prereq command to create it if it does not exist.
+      type: string
+      default: "%temp%\\deleteme_T1107"
+
+  dependency_executor_name: command_prompt
+  dependencies:
+    - description: |
+        The file to delete must exist on disk at specified location (#{file_to_delete})
+      prereq_command: |
+        IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
+      get_prereq_command: |
+        echo deleteme_T1107 >> #{file_to_delete}
+
  executor:
    name: command_prompt
    elevation_required: false
    command: |
-      echo "T1107" > %temp%\T1107.txt
-      del /f  %temp%\T1107.txt >nul 2>&1
+      del /f #{file_to_delete}

 - name: Delete an entire folder - Windows cmd
  description: |
-    Recursively delete the temporary directory and all files contained within it using cmd.exe
+    Recursively delete a folder in the temporary directory using cmd.exe.
+    Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
  supported_platforms:
    - windows
+
+  input_arguments:
+    folder_to_delete:
+      description: Folder to delete. Run the prereq command to create it if it does not exist.
+      type: string
+      default: "%temp%\\deleteme_T1107"
+
+  dependency_executor_name: command_prompt
+  dependencies:
+    - description: |
+        The file to delete must exist on disk at specified location (#{folder_to_delete})
+      prereq_command: |
+        IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
+      get_prereq_command: |
+        mkdir #{folder_to_delete}
+
  executor:
    name: command_prompt
    elevation_required: false
    command: |
-      mkdir %temp%\T1107
-      rmdir /s /q %temp%\T1107
+      rmdir /s /q #{folder_to_delete}

 - name: Delete a single file - Windows PowerShell
  description: |
-    Delete a single file from the temporary directory using Powershell
+    Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
  supported_platforms:
    - windows
+  input_arguments:
+    file_to_delete:
+      description: File to delete. Run the prereq command to create it if it does not exist.
+      type: string
+      default: $env:TEMP\deleteme_T1107
+
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        The file to delete must exist on disk at specified location (#{file_to_delete})
+      prereq_command: |
+        if (Test-Path #{file_to_delete}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Path #{file_to_delete} | Out-Null
+
  executor:
    name: powershell
    elevation_required: false
    command: |
-      New-Item $env:TEMP\T1107.txt
-      Remove-Item -path $env:TEMP\T1107.txt
+      Remove-Item -path #{file_to_delete}

 - name: Delete an entire folder - Windows PowerShell
  description: |
-    Recursively delete the temporary directory and all files contained within it using Powershell
+    Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
  supported_platforms:
    - windows
+  input_arguments:
+    folder_to_delete:
+      description: Folder to delete. Run the prereq command to create it if it does not exist.
+      type: string
+      default: $env:TEMP\deleteme_folder_T1107
+
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        The folder to delete must exist on disk at specified location (#{folder_to_delete})
+      prereq_command: |
+        if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Path #{folder_to_delete} -Type Directory | Out-Null
+
  executor:
    name: powershell
    elevation_required: false
    command: |
-      New-Item $env:TEMP\T1107 -ItemType Directory
-      Remove-Item -path $env:TEMP\T1107 -recurse
-
- name: Delete VSS - vssadmin
-  description: |
-    Delete all volume shadow copies with vssadmin.exe
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    elevation_required: true
-    command: |
-      vssadmin.exe Delete Shadows /All /Quiet
-
- name: Delete VSS - wmic
-  description: |
-    Delete all volume shadow copies with wmic
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    elevation_required: true
-    command: |
-      wmic shadowcopy delete
-
- name: bcdedit
-  description: |
-    This test leverages `bcdedit` to remove boot-time recovery measures.
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    elevation_required: true
-    command: |
-      bcdedit /set {default} bootstatuspolicy ignoreallfailures
-      bcdedit /set {default} recoveryenabled no
-
- name: wbadmin
-  description: |
-    This test deletes Windows Backup catalogs.
-  supported_platforms:
-    - windows
-  executor:
-    name: command_prompt
-    elevation_required: true
-    command: |
-      wbadmin delete catalog -quiet
+      Remove-Item -Path #{folder_to_delete} -Recurse

 - name: Delete Filesystem - Linux
  description: |
@@ -156,7 +171,8 @@ atomic_tests:

 - name: Delete-PrefetchFile
  description: |
-    Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique.
+    Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count"
+    before and after the test to verify that the number of prefetch files decreases by 1.
  supported_platforms:
    - windows
  executor:
@@ -169,19 +185,29 @@ atomic_tests:
  description: |
    Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.
    This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer
-    log file format of TeamViewerXX_Logfile.log
+    log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
+
    https://twitter.com/SBousseaden/status/1197524463304290305?s=20
  supported_platforms:
    - windows
-    - macos
+
+  input_arguments:
+    teamviewer_log_file:
+      description: Teamviewer log file to delete. Run the prereq command to create it if it does not exist.
+      type: string
+      default: $env:TEMP\TeamViewer_54.log
+
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        The folder to delete must exist on disk at specified location (#{teamviewer_log_file})
+      prereq_command: |
+        if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Path #{teamviewer_log_file} | Out-Null
+
  executor:
    name: powershell
    elevation_required: false
    command: |
-      if ($env:os -eq "Windows_NT") {
-        New-Item $env:TEMP\TeamViewer_54.log
-        Remove-Item $env:TEMP\TeamViewer_54.log
-      } else {
-        New-Item $env:HOME\TeamViewer_54.log
-        Remove-Item $env:HOME\TeamViewer_54.log
-      }
+      Remove-Item #{teamviewer_log_file}