diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index e1b8015d..d26c605e 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -479,7 +479,7 @@ defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run ex
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
-defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
+defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
 defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 33d7b64e..0202ae58 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -307,7 +307,7 @@ defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run ex
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
-defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
+defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
 defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 5890d00c..be445740 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -32330,11 +32330,12 @@ defense-evasion:
       supported_platforms:
       - windows
       executor:
-        command: |-
-          copy %WINDIR%\System32\cmd.exe /Y %ALLUSERSPROFILE%\cmd.exe
-          start %ALLUSERSPROFILE%\cmd.exe
-        cleanup_command: del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1
-        name: command_prompt
+        command: "copy-item \"$env:windir\\System32\\cmd.exe\" -destination \"$env:allusersprofile\\cmd.exe\"\nstart-process
+          \"$env:allusersprofile\\cmd.exe\"\nsleep -s 5 \nstop-process -name \"cmd\"
+          | out-null"
+        cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction
+          silentlycontinue
+        name: powershell
     - name: Malware Masquerading and Execution from Zip File
       auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
       description: When the file is unzipped and the README.cmd file opened, it executes
diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md
index acc8df89..f3115e20 100644
--- a/atomics/T1036/T1036.md
+++ b/atomics/T1036/T1036.md
@@ -26,17 +26,19 @@ It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a n
 
 
 
-#### Attack Commands: Run with `command_prompt`! 
+#### Attack Commands: Run with `powershell`! 
 
 
-```cmd
-copy %WINDIR%\System32\cmd.exe /Y %ALLUSERSPROFILE%\cmd.exe
-start %ALLUSERSPROFILE%\cmd.exe
+```powershell
+copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
+start-process "$env:allusersprofile\cmd.exe"
+sleep -s 5 
+stop-process -name "cmd" | out-null
 ```
 
 #### Cleanup Commands:
-```cmd
-del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1
+```powershell
+remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue
 ```