From d5a32b161c5e314dfc503fee3c38b5b1bf17e7eb Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Sat, 8 Feb 2020 00:29:45 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1002/T1002.md |  4 ++--
 atomics/T1004/T1004.md |  6 +++---
 atomics/T1007/T1007.md |  2 +-
 atomics/T1010/T1010.md |  2 +-
 atomics/T1023/T1023.md |  6 +++---
 atomics/index.yaml     | 20 ++++++++++----------
 6 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/atomics/T1002/T1002.md b/atomics/T1002/T1002.md
index e7303654..58011709 100644
--- a/atomics/T1002/T1002.md
+++ b/atomics/T1002/T1002.md
@@ -37,7 +37,7 @@ dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
 
 #### Cleanup Commands:
 ```
-Remove-Item -path #{output_file}
+Remove-Item -path #{output_file} -ErrorAction Ignore
 ```
 
 
@@ -70,7 +70,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 
 #### Cleanup Commands:
 ```
-del #{output_file}
+del /f /q /s #{output_file} >nul 2>&1
 ```
 
 
diff --git a/atomics/T1004/T1004.md b/atomics/T1004/T1004.md
index be7b6d1d..93014434 100644
--- a/atomics/T1004/T1004.md
+++ b/atomics/T1004/T1004.md
@@ -40,7 +40,7 @@ Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
 
 #### Cleanup Commands:
 ```
-Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
 ```
 
 
@@ -69,7 +69,7 @@ Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
 
 #### Cleanup Commands:
 ```
-Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
 ```
 
 
@@ -99,7 +99,7 @@ Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\No
 
 #### Cleanup Commands:
 ```
-Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
+Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
 ```
 
 
diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md
index d85ecfdb..e1a79fdf 100644
--- a/atomics/T1007/T1007.md
+++ b/atomics/T1007/T1007.md
@@ -52,7 +52,7 @@ net.exe start >> #{output_file}
 
 #### Cleanup Commands:
 ```
-del #{output_file}
+del /f /q /s #{output_file} >nul 2>&1
 ```
 
 
diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md
index d90f8f51..797904b9 100644
--- a/atomics/T1010/T1010.md
+++ b/atomics/T1010/T1010.md
@@ -33,7 +33,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #
 
 #### Cleanup Commands:
 ```
-del #{output_file_name}
+del /f /q /s #{output_file_name} >nul 2>&1
 ```
 
 
diff --git a/atomics/T1023/T1023.md b/atomics/T1023/T1023.md
index dfaccb69..f57957fc 100644
--- a/atomics/T1023/T1023.md
+++ b/atomics/T1023/T1023.md
@@ -26,7 +26,7 @@ gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-Strin
 
 #### Attack Commands: Run with `command_prompt`! 
 ```
-echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path}
+echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path} >nul 2>&1
 ```
 
 
@@ -65,8 +65,8 @@ $ShortCut.Save()
 
 #### Cleanup Commands:
 ```
-Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk"
-Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk"
+Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore
+Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore
 ```
 
 
diff --git a/atomics/index.yaml b/atomics/index.yaml
index bdd003c0..7ea0fe0b 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -4689,7 +4689,7 @@ persistence:
         name: command_prompt
         elevation_required: false
         command: 'echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe
-          >> #{shortcut_file_path} && #{shortcut_file_path}
+          >> #{shortcut_file_path} && #{shortcut_file_path} >nul 2>&1
 
 '
     - name: Create shortcut to cmd in startup folders
@@ -4718,8 +4718,8 @@ persistence:
           $ShortCut.Description = "T1023.";
           $ShortCut.Save()
         cleanup_command: |
-          Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk"
-          Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk"
+          Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore
+          Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore
   T1165:
     technique:
       x_mitre_permissions_required:
@@ -5288,7 +5288,7 @@ persistence:
 
 '
         cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
-          NT\CurrentVersion\Winlogon\" -Name "Shell" -Force
+          NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
 
 '
     - name: Winlogon Userinit Key Persistence - PowerShell
@@ -5311,7 +5311,7 @@ persistence:
 
 '
         cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
-          NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force
+          NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
 
 '
     - name: Winlogon Notify Key Logon Persistence - PowerShell
@@ -5333,7 +5333,7 @@ persistence:
           New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
           Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
         cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
-          -Force
+          -Force -ErrorAction Ignore
 
 '
 defense-evasion:
@@ -16821,7 +16821,7 @@ discovery:
         command: |
           C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
           #{output_file_name}
-        cleanup_command: 'del #{output_file_name}
+        cleanup_command: 'del /f /q /s #{output_file_name} >nul 2>&1
 
 '
   T1217:
@@ -19047,7 +19047,7 @@ discovery:
         command: 'net.exe start >> #{output_file}
 
 '
-        cleanup_command: 'del #{output_file}
+        cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1
 
 '
   T1124:
@@ -26684,7 +26684,7 @@ exfiltration:
         command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
 
 '
-        cleanup_command: 'Remove-Item -path #{output_file}
+        cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore
 
 '
     - name: Compress Data for Exfiltration With Rar
@@ -26727,7 +26727,7 @@ exfiltration:
         command: '"#{rar_exe}" a -r #{output_file} #{input_path} *#{file_extension}
 
 '
-        cleanup_command: 'del #{output_file}
+        cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1
 
 '
     - name: Data Compressed - nix - zip