From bf6d97679d7f208ffbeb00f61b80e46ee676de3c Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Tue, 17 Sep 2024 21:28:08 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/index.yaml       | 6 ++----
 atomics/Indexes/linux-index.yaml | 6 ++----
 atomics/T1546.004/T1546.004.md   | 3 +--
 3 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 64917865..889b0073 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -45794,8 +45794,7 @@ privilege-escalation:
         elevation_required: true
         command: |
           useradd --create-home --shell /bin/bash art
-          su --login art
-          echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+          su -l art -c "echo 'echo \"Atomic Red Team was here... T1546.004\" >> /home/art/art.txt' >> /home/art/.bash_logout; exit"
         cleanup_command: 'userdel -fr art
 
           '
@@ -69751,8 +69750,7 @@ persistence:
         elevation_required: true
         command: |
           useradd --create-home --shell /bin/bash art
-          su --login art
-          echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+          su -l art -c "echo 'echo \"Atomic Red Team was here... T1546.004\" >> /home/art/art.txt' >> /home/art/.bash_logout; exit"
         cleanup_command: 'userdel -fr art
 
           '
diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml
index 465b5250..cb8a3ffa 100644
--- a/atomics/Indexes/linux-index.yaml
+++ b/atomics/Indexes/linux-index.yaml
@@ -26081,8 +26081,7 @@ privilege-escalation:
         elevation_required: true
         command: |
           useradd --create-home --shell /bin/bash art
-          su --login art
-          echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+          su -l art -c "echo 'echo \"Atomic Red Team was here... T1546.004\" >> /home/art/art.txt' >> /home/art/.bash_logout; exit"
         cleanup_command: 'userdel -fr art
 
           '
@@ -40464,8 +40463,7 @@ persistence:
         elevation_required: true
         command: |
           useradd --create-home --shell /bin/bash art
-          su --login art
-          echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+          su -l art -c "echo 'echo \"Atomic Red Team was here... T1546.004\" >> /home/art/art.txt' >> /home/art/.bash_logout; exit"
         cleanup_command: 'userdel -fr art
 
           '
diff --git a/atomics/T1546.004/T1546.004.md b/atomics/T1546.004/T1546.004.md
index 429f16b5..a836825d 100644
--- a/atomics/T1546.004/T1546.004.md
+++ b/atomics/T1546.004/T1546.004.md
@@ -270,8 +270,7 @@ This test creates the art user, logs in, creates a .bash_logout which will echo
 
 ```bash
 useradd --create-home --shell /bin/bash art
-su --login art
-echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+su -l art -c "echo 'echo \"Atomic Red Team was here... T1546.004\" >> /home/art/art.txt' >> /home/art/.bash_logout; exit"
 ```
 
 #### Cleanup Commands: