T1096-T1138_CleanupErrors (#842)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2020-02-28 12:03:31 -06:00
parent d1546cbb19
commit ce43569dcf
7 changed files with 24 additions and 28 deletions
@@ -54,19 +54,16 @@ atomic_tests:
    ads_name:
      description: Name of ADS
      type: string
-      default: ADSName
+      default: desktop.ini

  executor:
    name: powershell
    elevation_required: false
    prereq_command: |
-      if (!(Test-Path "#{ads_file_path}"))
-      {
-        $FileCreated = New-Item -Path "#{ads_file_path}" -Type "file" -Force
-        0
-      }
-      else {0}
    command: |
+      if (!(Test-Path C:\Users\Public\Libraries\yanki -PathType Container)) {
+          New-Item -ItemType Directory -Force -Path C:\Users\Public\Libraries\yanki
+          }
      Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
    cleanup_command: |
-      Remove-Item -Path "#{ads_file_path}" -Stream "#{ads_name}"
+      Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
@@ -31,5 +31,4 @@ atomic_tests:
      $wc = New-Object System.Net.WebClient
      $T1102 = $wc.DownloadString("https://www.aol.com/")
    cleanup_command: |
-      Clear-Variable T1102
-
+      Clear-Variable T1102 >$null 2>&1
@@ -133,7 +133,7 @@ atomic_tests:
      $EncodedCommand
      Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
    cleanup_command: |
-      Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
+      Remove-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -ErrorAction Ignore

 - name: Add domain to Trusted sites Zone
  description: |
@@ -155,7 +155,7 @@ atomic_tests:

    cleanup_command: |
      $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
-      Remove-item  $key -Recurse
+      Remove-item  $key -Recurse -ErrorAction Ignore

 - name: Javascript in registry
  description: |
@@ -168,4 +168,4 @@ atomic_tests:
    command: |
      New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "<script>"
    cleanup_command: |
-      Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112
+      Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
@@ -41,9 +41,9 @@ atomic_tests:
      Get-ChildItem Env: > $env:TEMP\T1119_2.txt
      Get-Process > $env:TEMP\T1119_3.txt
    cleanup_command: |
-      Remove-Item $env:TEMP\T1119_1.txt
-      Remove-Item $env:TEMP\T1119_2.txt
-      Remove-Item $env:TEMP\T1119_3.txt
+      Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore
+      Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
+      Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore

 - name: Recon information for export with Command Prompt
  description: |
@@ -60,7 +60,7 @@ atomic_tests:
      wmic process list > %TEMP%\T1119_3.txt
      tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
    cleanup_command: |
-      del %TEMP%\T1119_1.txt
-      del %TEMP%\T1119_2.txt
-      del %TEMP%\T1119_3.txt
-      del %TEMP%\T1119_4.txt
+      del %TEMP%\T1119_1.txt >$null 2>&1
+      del %TEMP%\T1119_2.txt >$null 2>&1
+      del %TEMP%\T1119_3.txt >$null 2>&1
+      del %TEMP%\T1119_4.txt >$null 2>&1
@@ -50,5 +50,5 @@ atomic_tests:
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file}
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
    cleanup_command: |
-      del #{file_name}
-      del key.snk
+      del #{file_name} >$null 2>&1
+      del key.snk >$null 2>&1
@@ -86,7 +86,7 @@ atomic_tests:
    command: |
      New-LocalUser -Name "#{username}" -NoPassword
    cleanup_command: |
-      Remove-LocalUser -Name "#{username}"
+      Remove-LocalUser -Name "#{username}" -ErrorAction Ignore


 - name: Create a new user in Linux with `root` UID and GID.
@@ -110,4 +110,4 @@ atomic_tests:
      useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
      echo "#{password}" | passwd --stdin #{username}
    cleanup_command: |
-      userdel #{username}
+      userdel #{username}
@@ -37,8 +37,8 @@ atomic_tests:
      Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
      Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
    cleanup_command: |
-      Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
-      Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
+      Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
+      Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore

 - name: Registry key creation and/or modification events for SDB
  description: |
@@ -52,5 +52,5 @@ atomic_tests:
      New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
      New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
    cleanup_command: |
-      Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138"
-      Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138"
+      Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
+      Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -ErrorAction Ignore