update sysmon

atomics/T1562.001/T1562.001.yaml

@@ -210,9 +210,9 @@ atomic_tests:
   - description: |
       sysmon must be Installed
     prereq_command: |
-      if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }
+      if(sc.exe query | findstr sysmon) { exit 0 } else { exit 1 }
     get_prereq_command: |
-      if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
+      if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { sysmon -accepteula -i } else
       { & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i}
   - description: |
       sysmon filter must be loaded
@@ -220,20 +220,27 @@ atomic_tests:
       if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }
     get_prereq_command: |
       if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
-        & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u
+        & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u force
         & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i
       }else{
-        sysmon -u
+        Get-Service -Name Sysmon* | ForEach-Object {
-        sysmon -accepteula -i
+          & "$($_.Name)" -u force
+          & "$($_.Name)" -accepteula -i
+        }
       }
   executor:
     command: |
       fltmc.exe unload #{sysmon_driver}
     cleanup_command: |
-      sysmon -u -i > nul 2>&1
+      if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
-      sysmon -i -accepteula -i > nul 2>&1
+        & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u force
-      "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u > nul 2>&1
+        & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i
-      "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i > nul 2>&1
+      }else{
+        Get-Service -Name Sysmon* | ForEach-Object {
+          & "$($_.Name)" -u force
+          & "$($_.Name)" -accepteula -i
+        }
+      }
     name: command_prompt
     elevation_required: true
 - name: Uninstall Sysmon
@@ -252,7 +259,7 @@ atomic_tests:
   - description: |
       Sysmon executable must be available
     prereq_command: |
-      if(cmd /c where sysmon) {exit 0} else {exit 1}
+      if(cmd /c where.exe sysmon*) {exit 0} else {exit 1}
     get_prereq_command: |
       $parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
       New-Item -ItemType Directory $parentpath -Force | Out-Null
@@ -262,15 +269,33 @@ atomic_tests:
   - description: |
       Sysmon must be installed
     prereq_command: |
-      if(cmd /c sc query sysmon) { exit 0} else { exit 1}
+      if( cmd /c 'sc.exe query | findstr "sysmon"') { exit 0} else { exit 1}
     get_prereq_command: |
-      cmd /c sysmon -i -accepteula
+      if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
+        & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i
+      }else{
+        Get-Service -Name Sysmon* | ForEach-Object {
+          & "$($_.Name)" -accepteula -i
+        }
+      }
   executor:
     command: |
-      sysmon -u
+      if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
+        & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -u force
+      }else{
+        Get-Service -Name Sysmon* | ForEach-Object {
+          & "$($_.Name)" -u force
+        }
+      }
     cleanup_command: |
-      sysmon -i -accepteula >nul 2>&1
+      if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
-    name: command_prompt
+        & "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe" -accepteula -i
+      }else{
+        Get-Service -Name Sysmon* | ForEach-Object {
+          & "$($_.Name)" -accepteula -i
+        }
+      }
+    name: powershell
     elevation_required: true
 - name: AMSI Bypass - AMSI InitFailed
   auto_generated_guid: 695eed40-e949-40e5-b306-b4031e4154bd