diff --git a/atomics/T1592.001/T1592.001.md b/atomics/T1592.001/T1592.001.md
index 666f2943..e67c8c85 100644
--- a/atomics/T1592.001/T1592.001.md
+++ b/atomics/T1592.001/T1592.001.md
@@ -2,17 +2,16 @@
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1592/001/)
 <blockquote>Adversaries may use powershell script to gather information about the system, configuration, and even mounted hardware on the target host.
 
-  Dark Crystal Rat use several technique to gather hardware information of the compromised host like gathering the microphone, CPU, GPU, camera and many as part of its data collection and backdoor capabilities.
-</blockquote>
+  Dark Crystal Rat use several technique to gather hardware information of the compromised host like gathering the microphone, CPU, GPU, camera and many as part of its data collection and backdoor capabilities.</blockquote>
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Query Registry](#atomic-test-1---Enumerate PlugNPlay Camera)
+- [Atomic Test #1 - Enumerate PlugNPlay Camera](#atomic-test-1---enumerate-plugnplay-camera)
 
 
 <br/>
 
-## Atomic Test #1 - Query Registry
+## Atomic Test #1 - Enumerate PlugNPlay Camera
 Enumerate PlugNPlay Camera.
 Upon successful execution, powershell.exe will perform queries to plugnplay camera device mounted on the host. 
 References:
@@ -24,3 +23,11 @@ https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
 **Supported Platforms:** Windows
 
 **auto_generated_guid:** 08a04133-3f2a-4eb0-bdd8-2aa513d2fb60
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-CimInstance -Query "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')"
+```
diff --git a/atomics/T1592.001/T1592.001.yml b/atomics/T1592.001/T1592.001.yml
index dcd9be43..4a2a1326 100644
--- a/atomics/T1592.001/T1592.001.yml
+++ b/atomics/T1592.001/T1592.001.yml
@@ -4,12 +4,11 @@ atomic_tests:
 - name: Enumerate PlugNPlay Camera
   auto_generated_guid: d430bf85-b656-40e7-b238-42db01df0183
   description: |
-    Enumerate PlugNPlay Camera using powershell commandlet. this technique was seen in dcrat malware backdoor capabilities where it enumerate the camera info mounted on the compromised host. 
-    reference: https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor 
+    Enumerate PlugNPlay Camera using powershell commandlet. this technique was seen in dcrat malware backdoor capabilities where it enumerate the camera info mounted on the compromised host. reference: https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor
   supported_platforms:
-  - windows
+    - windows
   executor:
+    name: powershell
+    elevation_required: true 
     command: |
       Get-CimInstance -Query "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')"
-    name: powershell
-    elevation_required: true
