From 2c8c26fb71f243450f68cb1aedf4075de2e5b608 Mon Sep 17 00:00:00 2001
From: dwhite9 <daniel.shane.white@gmail.com>
Date: Mon, 21 Oct 2019 16:04:17 -0500
Subject: [PATCH] Update T1037.yaml (#592)

* Adding T1086 Alternate Data Stream atomic

* Added newline T1086

* Syncing changes with updstream and origin.

* Added Cleanup to Logon Scripts Atomic T1037

* Added timout to allow time for detection logic to register change.

* Fixed issue with upstream sync,  Re-added timout to allow time for detection logic.

* Fixed cleanup command. Yaml tag not working to allow it to run.

* Update T1158 test 11.

Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.

* Update T1037.yaml

Moved Reg delete command under the cleanup_command tag for consistency.

* Update T1037.yaml

Moved reg removal command under cleanup_command tag for consistency.
---
 atomics/T1037/T1037.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1037/T1037.yaml b/atomics/T1037/T1037.yaml
index 063e21e6..4251c2c1 100644
--- a/atomics/T1037/T1037.yaml
+++ b/atomics/T1037/T1037.yaml
@@ -21,7 +21,7 @@ atomic_tests:
     elevation_required: false
     command: |
       REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}"
-      REM cleanup command below.
+    cleanup_command: |
       REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
 
 - name: Logon Scripts - Mac