From ce43569dcf3246bba4cf376c8da848dbd98afa47 Mon Sep 17 00:00:00 2001
From: tlor89 <60741301+tlor89@users.noreply.github.com>
Date: Fri, 28 Feb 2020 12:03:31 -0600
Subject: [PATCH] T1096-T1138_CleanupErrors (#842)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1096/T1096.yaml | 13 +++++--------
 atomics/T1102/T1102.yaml |  3 +--
 atomics/T1112/T1112.yaml |  6 +++---
 atomics/T1119/T1119.yaml | 14 +++++++-------
 atomics/T1121/T1121.yaml |  4 ++--
 atomics/T1136/T1136.yaml |  4 ++--
 atomics/T1138/T1138.yaml |  8 ++++----
 7 files changed, 24 insertions(+), 28 deletions(-)

diff --git a/atomics/T1096/T1096.yaml b/atomics/T1096/T1096.yaml
index 91382cae..749c335c 100644
--- a/atomics/T1096/T1096.yaml
+++ b/atomics/T1096/T1096.yaml
@@ -54,19 +54,16 @@ atomic_tests:
     ads_name:
       description: Name of ADS
       type: string
-      default: ADSName
+      default: desktop.ini
 
   executor:
     name: powershell
     elevation_required: false
     prereq_command: |
-      if (!(Test-Path "#{ads_file_path}"))
-      {
-        $FileCreated = New-Item -Path "#{ads_file_path}" -Type "file" -Force
-        0
-      }
-      else {0}
     command: |
+      if (!(Test-Path C:\Users\Public\Libraries\yanki -PathType Container)) {
+          New-Item -ItemType Directory -Force -Path C:\Users\Public\Libraries\yanki
+          }
       Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
     cleanup_command: |
-      Remove-Item -Path "#{ads_file_path}" -Stream "#{ads_name}"
\ No newline at end of file
+      Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
\ No newline at end of file
diff --git a/atomics/T1102/T1102.yaml b/atomics/T1102/T1102.yaml
index ead75677..9ca998e0 100644
--- a/atomics/T1102/T1102.yaml
+++ b/atomics/T1102/T1102.yaml
@@ -31,5 +31,4 @@ atomic_tests:
       $wc = New-Object System.Net.WebClient
       $T1102 = $wc.DownloadString("https://www.aol.com/")
     cleanup_command: |
-      Clear-Variable T1102
-
+      Clear-Variable T1102 >$null 2>&1
\ No newline at end of file
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 0cd7b7a6..8fc126b6 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -133,7 +133,7 @@ atomic_tests:
       $EncodedCommand
       Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
     cleanup_command: |
-      Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
+      Remove-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -ErrorAction Ignore
 
 - name: Add domain to Trusted sites Zone
   description: |
@@ -155,7 +155,7 @@ atomic_tests:
 
     cleanup_command: |
       $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
-      Remove-item  $key -Recurse
+      Remove-item  $key -Recurse -ErrorAction Ignore
 
 - name: Javascript in registry
   description: |
@@ -168,4 +168,4 @@ atomic_tests:
     command: |
       New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "<script>"
     cleanup_command: |
-      Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112
+      Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
\ No newline at end of file
diff --git a/atomics/T1119/T1119.yaml b/atomics/T1119/T1119.yaml
index 72576fb2..c92b9cf8 100644
--- a/atomics/T1119/T1119.yaml
+++ b/atomics/T1119/T1119.yaml
@@ -41,9 +41,9 @@ atomic_tests:
       Get-ChildItem Env: > $env:TEMP\T1119_2.txt
       Get-Process > $env:TEMP\T1119_3.txt
     cleanup_command: |
-      Remove-Item $env:TEMP\T1119_1.txt
-      Remove-Item $env:TEMP\T1119_2.txt
-      Remove-Item $env:TEMP\T1119_3.txt
+      Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore
+      Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
+      Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
 
 - name: Recon information for export with Command Prompt
   description: |
@@ -60,7 +60,7 @@ atomic_tests:
       wmic process list > %TEMP%\T1119_3.txt
       tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
     cleanup_command: |
-      del %TEMP%\T1119_1.txt
-      del %TEMP%\T1119_2.txt
-      del %TEMP%\T1119_3.txt
-      del %TEMP%\T1119_4.txt
+      del %TEMP%\T1119_1.txt >$null 2>&1
+      del %TEMP%\T1119_2.txt >$null 2>&1
+      del %TEMP%\T1119_3.txt >$null 2>&1
+      del %TEMP%\T1119_4.txt >$null 2>&1
\ No newline at end of file
diff --git a/atomics/T1121/T1121.yaml b/atomics/T1121/T1121.yaml
index 74603fe6..f5c681ac 100644
--- a/atomics/T1121/T1121.yaml
+++ b/atomics/T1121/T1121.yaml
@@ -50,5 +50,5 @@ atomic_tests:
       C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file}
       C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
     cleanup_command: |
-      del #{file_name}
-      del key.snk
+      del #{file_name} >$null 2>&1
+      del key.snk >$null 2>&1
\ No newline at end of file
diff --git a/atomics/T1136/T1136.yaml b/atomics/T1136/T1136.yaml
index f6134177..de6db548 100644
--- a/atomics/T1136/T1136.yaml
+++ b/atomics/T1136/T1136.yaml
@@ -86,7 +86,7 @@ atomic_tests:
     command: |
       New-LocalUser -Name "#{username}" -NoPassword
     cleanup_command: |
-      Remove-LocalUser -Name "#{username}"
+      Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
 
 
 - name: Create a new user in Linux with `root` UID and GID.
@@ -110,4 +110,4 @@ atomic_tests:
       useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
       echo "#{password}" | passwd --stdin #{username}
     cleanup_command: |
-      userdel #{username}
+      userdel #{username}
\ No newline at end of file
diff --git a/atomics/T1138/T1138.yaml b/atomics/T1138/T1138.yaml
index 3a4080aa..ed43d74a 100644
--- a/atomics/T1138/T1138.yaml
+++ b/atomics/T1138/T1138.yaml
@@ -37,8 +37,8 @@ atomic_tests:
       Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
       Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
     cleanup_command: |
-      Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
-      Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
+      Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
+      Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
 
 - name: Registry key creation and/or modification events for SDB
   description: |
@@ -52,5 +52,5 @@ atomic_tests:
       New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
       New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
     cleanup_command: |
-      Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138"
-      Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138"
+      Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
+      Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -ErrorAction Ignore