From e940fcbe5b02fa19ff1077a214609418b3e6d30d Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 24 Oct 2019 17:13:51 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1086/T1086.md | 8 +++++++-
 atomics/index.yaml     | 6 +++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/atomics/T1086/T1086.md b/atomics/T1086/T1086.md
index b6f3b1c5..6b78b873 100644
--- a/atomics/T1086/T1086.md
+++ b/atomics/T1086/T1086.md
@@ -278,11 +278,17 @@ Execution of a PowerShell payload from the Windows Registry similar to that seen
 
 #### Run it with `command_prompt`! 
 ```
-reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
+REM Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
+reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
 powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
 ```
 
 
+#### Cleanup Commands:
+```
+del /Q /F %SystemRoot%\Temp\art-marker.txt
+REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
+```
 
 <br/>
 <br/>
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 6751862a..74e48e92 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -18926,8 +18926,12 @@ execution:
         name: command_prompt
         elevation_required: false
         command: |
-          reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
+          REM Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
+          reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
           powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
+        cleanup_command: |
+          del /Q /F %SystemRoot%\Temp\art-marker.txt
+          REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
     - name: PowerShell Downgrade Attack
       description: 'Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/