Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1119/T1119.md

@@ -18,7 +18,8 @@ This technique may incorporate use of other techniques such as [File and Directo
 <br/>
 
 ## Atomic Test #1 - Automated Collection Command Prompt
-Automated Collection
+Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection
+to see what was collected.
 
 **Supported Platforms:** Windows
 
@@ -30,10 +31,15 @@ Automated Collection
 
 
 ```cmd
+mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
 dir c: /b /s .docx | findstr /e .docx
-for /R c: %f in (*.docx) do copy %f c:\temp\
+for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
 ```
 
+#### Cleanup Commands:
+```cmd
+del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
+```
 
 
 
@@ -43,7 +49,8 @@ for /R c: %f in (*.docx) do copy %f c:\temp\
 <br/>
 
 ## Atomic Test #2 - Automated Collection PowerShell
-Automated Collection
+Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection
+to see what was collected.
 
 **Supported Platforms:** Windows
 
@@ -55,9 +62,14 @@ Automated Collection
 
 
 ```powershell
-Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}
+New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
+Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
 ```
 
+#### Cleanup Commands:
+```powershell
+Remove-Item $env:TEMP\T1119_powershell_collection -Force | Out-Null
+```
 
 
 
@@ -67,7 +79,8 @@ Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:
 <br/>
 
 ## Atomic Test #3 - Recon information for export with PowerShell
-collect information for exfiltration
+collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
+to see what was collected.
 
 **Supported Platforms:** Windows
 
@@ -99,7 +112,8 @@ Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
 <br/>
 
 ## Atomic Test #4 - Recon information for export with Command Prompt
-collect information for exfiltration
+collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
+to see what was collected.
 
 **Supported Platforms:** Windows
 

atomics/index.yaml

@@ -27117,33 +27117,40 @@ collection:
       identifier: T1119
     atomic_tests:
     - name: Automated Collection Command Prompt
-      description: 'Automated Collection
-
-'
+      description: |
+        Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection
+        to see what was collected.
       supported_platforms:
       - windows
       executor:
         name: command_prompt
         command: |
+          mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
           dir c: /b /s .docx | findstr /e .docx
-          for /R c: %f in (*.docx) do copy %f c:\temp\
-    - name: Automated Collection PowerShell
-      description: 'Automated Collection
+          for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
+        cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
 
 '
+    - name: Automated Collection PowerShell
+      description: |
+        Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection
+        to see what was collected.
       supported_platforms:
       - windows
       executor:
         name: powershell
         elevation_required: false
-        command: 'Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName
-          -destination c:\temp}
+        command: |
+          New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
+          Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
+        cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force
+          | Out-Null
 
 '
     - name: Recon information for export with PowerShell
-      description: 'collect information for exfiltration
-
-'
+      description: |
+        collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
+        to see what was collected.
       supported_platforms:
       - windows
       executor:
@@ -27158,9 +27165,9 @@ collection:
           Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
           Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
     - name: Recon information for export with Command Prompt
-      description: 'collect information for exfiltration
-
-'
+      description: |
+        collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
+        to see what was collected.
       supported_platforms:
       - windows
       executor:
@@ -27171,7 +27178,7 @@ collection:
           doskey /history > %TEMP%\T1119_2.txt
           wmic process list > %TEMP%\T1119_3.txt
           tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
-        cleanup_command: |-
+        cleanup_command: |
           del %TEMP%\T1119_1.txt >nul 2>&1
           del %TEMP%\T1119_2.txt >nul 2>&1
           del %TEMP%\T1119_3.txt >nul 2>&1