From 064bd667bce82e1fddef8ffca37a83cd03710c58 Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Tue, 10 Oct 2023 14:30:25 -0600
Subject: [PATCH] rearrange to have success exit code (#2560)

* rearrange to have success exit code

* default to current user

* Update T1069.002.yaml

---------

Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
---
 atomics/T1069.002/T1069.002.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml
index 8ab7a449..e3805470 100644
--- a/atomics/T1069.002/T1069.002.yaml
+++ b/atomics/T1069.002/T1069.002.yaml
@@ -12,8 +12,8 @@ atomic_tests:
     command: |
       net localgroup
       net group /domain
-      net group "domain admins" /domain
       net group "enterprise admins" /domain
+      net group "domain admins" /domain
     name: command_prompt
 - name: Permission Groups Discovery PowerShell (Domain)
   auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
@@ -26,7 +26,7 @@ atomic_tests:
     user:
       description: User to identify what groups a user is a member of
       type: string
-      default: administrator
+      default: $env:USERNAME
   executor:
     command: |
       get-ADPrincipalGroupMembership #{user} | select name
@@ -40,10 +40,10 @@ atomic_tests:
   - windows
   executor:
     command: |
-      net group /domai "Domain Admins"
       net groups "Account Operators" /doma
       net groups "Exchange Organization Management" /doma
       net group "BUILTIN\Backup Operators" /doma
+      net group /domai "Domain Admins"
     name: command_prompt
 - name: Find machines where user has local admin access (PowerView)
   auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1