diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml
index 80aaf8b1..ce95e83e 100644
--- a/atomics/T1036/T1036.yaml
+++ b/atomics/T1036/T1036.yaml
@@ -16,6 +16,8 @@ atomic_tests:
     command: |
       cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
       cmd.exe /c %SystemRoot%\Temp\lsass.exe
+    cleanup_command: |
+      del /Q /F %SystemRoot%\Temp\lsass.exe
 
 - name: Masquerading as Linux crond process.
   description: |
@@ -44,6 +46,8 @@ atomic_tests:
     command: |
       copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
       cmd.exe /c %APPDATA%\notepad.exe /B
+    cleanup_command: |
+      del /Q /F %APPDATA%\notepad.exe
 
 - name: Masquerading - wscript.exe running as svchost.exe 
   description: |
@@ -58,6 +62,8 @@ atomic_tests:
     command: |
       copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
       cmd.exe /c %APPDATA%\svchost.exe /B
+    cleanup_command: |
+      del /Q /F %APPDATA%\svchost.exe
 
 - name: Masquerading - powershell.exe running as taskhostw.exe 
   description: |
@@ -72,3 +78,5 @@ atomic_tests:
     command: |
       copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
       cmd.exe /K %APPDATA%\taskhostw.exe
+    cleanup_command: |
+      del /Q /F %APPDATA%\taskhostw.exe