diff --git a/atomics/T1107/T1107.yaml b/atomics/T1107/T1107.yaml index b6706a0b..089da03f 100644 --- a/atomics/T1107/T1107.yaml +++ b/atomics/T1107/T1107.yaml @@ -3,115 +3,112 @@ attack_technique: T1107 display_name: File Deletion atomic_tests: -- name: Victim configuration - description: | - Create a temporary directory and several files on the victim system for later deletion - supported_platforms: - - linux - executor: - name: sh - command: | - mkdir /tmp/victim-files - cd /tmp/victim-files - touch a b c d e f g - echo "This file will be shredded" > /tmp/victim-shred.txt - -- name: Delete a single file +- name: Delete a single file - Linux/macOS description: | Delete a single file from the temporary directory supported_platforms: - linux + - macos + input_arguments: + file_to_delete: + description: Path of file to delete + type: Path + default: /tmp/victim-files/a executor: name: sh command: | - rm -f /tmp/victim-files/a + rm -f #{file_to_delete} -- name: Delete an entire folder +- name: Delete an entire folder - Linux/macOS description: | Recursively delete the temporary directory and all files contained within it supported_platforms: - linux + - macos + input_arguments: + folder_to_delete: + description: Path of folder to delete + type: Path + default: /tmp/victim-files executor: name: sh command: | - rm -rf /tmp/victim-files + rm -rf #{folder_to_delete} - name: Overwrite and delete a file with shred description: | Use the `shred` command to overwrite the temporary file and then delete it supported_platforms: - linux + input_arguments: + file_to_shred: + description: Path of file to shred + type: Path + default: /tmp/victim-shred.txt executor: name: sh command: | - shred -u /tmp/victim-shred.txt + shred -u #{file_to_shred} -- name: Victim configuration - description: | - Create a temporary directory and several files on the victim system for later deletion - supported_platforms: - - windows - executor: - name: command_prompt - command: | - mkdir %TEMP%\victim-files-cmd - cd %TEMP%\victim-files-cmd - type nul > a - type nul > b - type nul > c - type nul > d - type nul > e - type nul > f - type nul > g - mkdir %TEMP%\victim-files-ps - cd %TEMP%\victim-files-ps - type nul > a - type nul > b - type nul > c - type nul > d - type nul > e - type nul > f - type nul > g - -- name: Delete a single file - cmd +- name: Delete a single file - Windows cmd description: | Delete a single file from the temporary directory using cmd.exe supported_platforms: - windows + input_arguments: + file_to_delete: + description: Path of file to delete + type: Path + default: C:\Windows\Temp\victim-files-cmd\a executor: name: command_prompt command: | - del /f %TEMP%\victim-files-cmd\a + del /f #{file_to_delete} -- name: Delete an entire folder - cmd +- name: Delete an entire folder - Windows cmd description: | Recursively delete the temporary directory and all files contained within it using cmd.exe supported_platforms: - windows + input_arguments: + folder_to_delete: + description: Path of folder to delete + type: Path + default: C:\Windows\Temp\victim-files-cmd executor: name: command_prompt command: | - del /f /S %TEMP%\victim-files-cmd + del /f /S #{folder_to_delete} -- name: Delete a single file - ps +- name: Delete a single file - Windows PowerShell description: | Delete a single file from the temporary directory using Powershell supported_platforms: - windows + input_arguments: + file_to_delete: + description: Path of file to delete + type: Path + default: C:\Windows\Temp\victim-files-ps\a executor: name: powershell command: | - Remove-Item -path %TEMP%\victim-files-ps\a + Remove-Item -path "#{file_to_delete}" -- name: Delete an entire folder - ps +- name: Delete an entire folder - Windows PowerShell description: | Recursively delete the temporary directory and all files contained within it using Powershell supported_platforms: - windows + input_arguments: + folder_to_delete: + description: Path of folder to delete + type: Path + default: C:\Windows\Temp\victim-files-ps executor: name: powershell command: | - Remove-Item -path %TEMP%\victim-files-ps -recurse + Remove-Item -path "#{folder_to_delete}" -recurse - name: Delete VSS - vssadmin description: | @@ -152,4 +149,4 @@ atomic_tests: executor: name: command_prompt command: | - wbdadmin delete catalog -quiet + wbadmin delete catalog -quiet