From c3438e27b72c597963ca7b8a06037a565377fbfa Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Tue, 23 May 2023 14:13:38 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/index.yaml         | 2 +-
 atomics/Indexes/windows-index.yaml | 2 +-
 atomics/T1098/T1098.md             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 0ac8e2c1..deece78c 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -64450,7 +64450,7 @@ persistence:
 
           foreach($member in $fmm) {
               if($member -like "*Administrator*") {
-                  $account = $member.Name -replace ".+\\\","" # strip computername\
+                  $account = $member.Name.Split("\")[-1] # strip computername\
                   $originalDescription = (Get-LocalUser -Name $account).Description
                   Set-LocalUser -Name $account -Description "atr:$account;$originalDescription".Substring(0,48) # Keep original name in description
                   Rename-LocalUser -Name $account -NewName "HaHa_$x$y$z" # Required due to length limitation
diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
index 0e227f1b..2fafa525 100644
--- a/atomics/Indexes/windows-index.yaml
+++ b/atomics/Indexes/windows-index.yaml
@@ -56719,7 +56719,7 @@ persistence:
 
           foreach($member in $fmm) {
               if($member -like "*Administrator*") {
-                  $account = $member.Name -replace ".+\\\","" # strip computername\
+                  $account = $member.Name.Split("\")[-1] # strip computername\
                   $originalDescription = (Get-LocalUser -Name $account).Description
                   Set-LocalUser -Name $account -Description "atr:$account;$originalDescription".Substring(0,48) # Keep original name in description
                   Rename-LocalUser -Name $account -NewName "HaHa_$x$y$z" # Required due to length limitation
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
index 2a4b0457..3dbb2177 100644
--- a/atomics/T1098/T1098.md
+++ b/atomics/T1098/T1098.md
@@ -54,7 +54,7 @@ $fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match "Use
 
 foreach($member in $fmm) {
     if($member -like "*Administrator*") {
-        $account = $member.Name -replace ".+\\\","" # strip computername\
+        $account = $member.Name.Split("\")[-1] # strip computername\
         $originalDescription = (Get-LocalUser -Name $account).Description
         Set-LocalUser -Name $account -Description "atr:$account;$originalDescription".Substring(0,48) # Keep original name in description
         Rename-LocalUser -Name $account -NewName "HaHa_$x$y$z" # Required due to length limitation