From c09320599973d92cfc8983edc9ca375d08abbecc Mon Sep 17 00:00:00 2001
From: CDub1016 <73127960+CDub1016@users.noreply.github.com>
Date: Tue, 10 Jan 2023 17:41:32 -0600
Subject: [PATCH] Update T1053.005.yaml (#2276)

* Update T1053.005.yaml

Created cleanup command for T1053.005-Task Scheduler via VBA-Cleanup commands created

* Update T1053.005.yaml

Fixed syntax error.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1053.005/T1053.005.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml
index 87c10cf3..4ba6dccf 100644
--- a/atomics/T1053.005/T1053.005.yaml
+++ b/atomics/T1053.005/T1053.005.yaml
@@ -127,6 +127,8 @@ atomic_tests:
       IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
       Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
     name: powershell
+    cleanup command : |
+      Unregister-ScheduledTask -TaskName "Run Notepad" -Confirm:$false
 - name: WMI Invoke-CimMethod Scheduled Task
   auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
   description: |