From dbf6e1af6ed9aebdd1b604425e53951ea89eabd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= <clement@notin.org>
Date: Fri, 26 Jun 2020 17:26:01 +0200
Subject: [PATCH] T1546.008: re-add cleanup command lost during transition to
 subtechnique (#1087)

And improve it

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1546.008/T1546.008.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/atomics/T1546.008/T1546.008.yaml b/atomics/T1546.008/T1546.008.yaml
index cdd70619..4ddefabb 100644
--- a/atomics/T1546.008/T1546.008.yaml
+++ b/atomics/T1546.008/T1546.008.yaml
@@ -38,6 +38,13 @@ atomic_tests:
           New-ItemProperty -Path $registryPath -Name $name -Value $Value
         }
       }
+    cleanup_command: |
+      $input_table = "#{parent_list}".split(",")
+      Foreach ($item in $input_table)
+      {
+        $item = $item.trim()
+        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null
+      }
     name: powershell
     elevation_required: true