Line 632 and Line 634 use the same argument, #{process_to_execute}, to create and delete the process. You can use the path to the executable in Line 632 to to create the process. However, you have to specify the process name (without the directory path) in Line 634 to delete the process.
I recommend the following changes.
command: |
wmic /node:#{node} process call create "#{path_to_execute}"
cleanup_command: |
wmic /node:#{node} process where name="#{process_name_to_kill}" delete >nul 2>&1
Line 632: #{process_to_execute} -> "#{path_to_execute}"
Line 634: #{process_to_execute} -> #{process_name_to_kill}
Update Lines 614 and 616 in the same way.
command: |
wmic /node:#{node} process call create "#{path_to_execute}"
cleanup: |
wmic /node:#{node} process where name="#{process_name_to_kill}" delete >nul 2>&1
Line 614: #{process_to_execute} -> "#{path_to_execute}"
Line 616: #{process_to_execute} -> "#{process_name_to_kill}"
Line 616: del -> delete
Add/modify input_arguments: according to the changes above.
shinsugarfj
commented
3 years ago
https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/c0591fd79dae9e91bfe6323e7007a350936d0b9b/fin6/Emulation_Plan/FIN6.yaml#L631-L634
Line 632 and Line 634 use the same argument,
#{process_to_execute}, to create and delete the process. You can use the path to the executable in Line 632 to to create the process. However, you have to specify the process name (without the directory path) in Line 634 to delete the process.I recommend the following changes.
#{process_to_execute}->"#{path_to_execute}"#{process_to_execute}->#{process_name_to_kill}Update Lines 614 and 616 in the same way.
#{process_to_execute}->"#{path_to_execute}"#{process_to_execute}->"#{process_name_to_kill}"del->deleteAdd/modify
input_arguments:according to the changes above.