From 62f83972c596bd4ce07be7417fb5672cb5d80a73 Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Sat, 7 Oct 2023 13:25:51 -0600
Subject: [PATCH] use external payloads directory (#2554)

Co-authored-by: Hare Sudhan <code@0x6c.dev>
---
 atomics/T1027/T1027.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml
index 2da59b4c..1599d6c5 100644
--- a/atomics/T1027/T1027.yaml
+++ b/atomics/T1027/T1027.yaml
@@ -111,11 +111,10 @@ atomic_tests:
       Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\" -Force
   executor:
     command: |
-      "%temp%\temp_T1027.zip\T1027.exe"
+      "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"
     cleanup_command: |
       taskkill /f /im calculator.exe >nul 2>nul
-      rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul
-      del /Q "%temp%\T1027.zip" >nul 2>nul
+      taskkill /f /im CalculatorApp.exe >nul 2>nul
     name: command_prompt
 - name: DLP Evasion via Sensitive Data in VBA Macro over email
   auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad