From 12758536a1477f092ad0f93c5471b2188d944f52 Mon Sep 17 00:00:00 2001
From: timfrazier1 <timfrazier1@users.noreply.github.com>
Date: Mon, 11 Jun 2018 13:27:29 -0400
Subject: [PATCH 1/7] Changed Default to point to online script

---
 atomics/T1117/T1117.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1117/T1117.yaml b/atomics/T1117/T1117.yaml
index b801b26ca2..99ff938d75 100644
--- a/atomics/T1117/T1117.yaml
+++ b/atomics/T1117/T1117.yaml
@@ -25,7 +25,7 @@ atomic_tests:
    url:
     description: URL to hosted sct file
     type: Url
-    default: http://www.example.com/file.sct
+    default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct
   executor:
    name: command_prompt
    command: |

From cbcccc8d44dc7723cca4a3a0bffe663db07a8f0c Mon Sep 17 00:00:00 2001
From: timfrazier1 <timfrazier1@users.noreply.github.com>
Date: Mon, 11 Jun 2018 14:10:31 -0400
Subject: [PATCH 2/7] Creating new example scriptlet

---
 atomics/T1170/mshta.sct | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 atomics/T1170/mshta.sct

diff --git a/atomics/T1170/mshta.sct b/atomics/T1170/mshta.sct
new file mode 100644
index 0000000000..4b02140071
--- /dev/null
+++ b/atomics/T1170/mshta.sct
@@ -0,0 +1,23 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- mshta.sct example file -->
+
+	<!-- .sct files when downloaded, are executed from a path like this -->
+	<!-- Please Note, file extenstion does not matter -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+  	<!-- You can either execute locally, or from a url -->
+	<script language="JScript">
+		<![CDATA[
+	    		// calc.exe should launch, this could be any arbitrary code.
+      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
+			var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");	
+	
+		]]>
+</script>
+</registration>
+</scriptlet>

From dafc67171f9119d159d63a7616ef08c7324e410a Mon Sep 17 00:00:00 2001
From: timfrazier1 <timfrazier1@users.noreply.github.com>
Date: Mon, 11 Jun 2018 14:11:27 -0400
Subject: [PATCH 3/7] Updating to point to new example script

---
 atomics/T1170/T1170.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml
index 479165408a..b0c735368e 100644
--- a/atomics/T1170/T1170.yaml
+++ b/atomics/T1170/T1170.yaml
@@ -12,7 +12,7 @@ atomic_tests:
     file_url:
       description: location of the payload
       type: Url
-      default: https://www.example.com/mshta.sct
+      default: https://raw.githubusercontent.com/timfrazier1/atomic-red-team/master/atomics/T1170/mshta.sct
   executor:
     name: command_prompt
     command: |

From 5e2053f9780092f7829f8d2dfb86fa6f9a54c31e Mon Sep 17 00:00:00 2001
From: timfrazier1 <timfrazier1@users.noreply.github.com>
Date: Tue, 12 Jun 2018 10:16:28 -0400
Subject: [PATCH 4/7] Delete mshta.sct

---
 atomics/T1170/mshta.sct | 23 -----------------------
 1 file changed, 23 deletions(-)
 delete mode 100644 atomics/T1170/mshta.sct

diff --git a/atomics/T1170/mshta.sct b/atomics/T1170/mshta.sct
deleted file mode 100644
index 4b02140071..0000000000
--- a/atomics/T1170/mshta.sct
+++ /dev/null
@@ -1,23 +0,0 @@
-<?XML version="1.0"?>
-<scriptlet>
-<registration 
-    progid="PoC"
-    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
-	<!-- mshta.sct example file -->
-
-	<!-- .sct files when downloaded, are executed from a path like this -->
-	<!-- Please Note, file extenstion does not matter -->
-	<!-- Though, the name and extension are arbitary.. -->
-	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
-	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
-  	<!-- You can either execute locally, or from a url -->
-	<script language="JScript">
-		<![CDATA[
-	    		// calc.exe should launch, this could be any arbitrary code.
-      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
-			var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");	
-	
-		]]>
-</script>
-</registration>
-</scriptlet>

From 257ab12188f0a87a09e869a777adf3f599c02a0d Mon Sep 17 00:00:00 2001
From: timfrazier1 <timfrazier1@users.noreply.github.com>
Date: Tue, 12 Jun 2018 10:17:44 -0400
Subject: [PATCH 5/7] Update T1170.yaml

---
 atomics/T1170/T1170.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml
index b0c735368e..479165408a 100644
--- a/atomics/T1170/T1170.yaml
+++ b/atomics/T1170/T1170.yaml
@@ -12,7 +12,7 @@ atomic_tests:
     file_url:
       description: location of the payload
       type: Url
-      default: https://raw.githubusercontent.com/timfrazier1/atomic-red-team/master/atomics/T1170/mshta.sct
+      default: https://www.example.com/mshta.sct
   executor:
     name: command_prompt
     command: |

From 65025fe84c957264489128d56bdb46df85ebfc69 Mon Sep 17 00:00:00 2001
From: timfrazier1 <timfrazier1@users.noreply.github.com>
Date: Thu, 12 Jul 2018 20:13:57 -0400
Subject: [PATCH 6/7] Update T1127.yaml

Substitute variable for hard coded filename
---
 atomics/T1127/T1127.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1127/T1127.yaml b/atomics/T1127/T1127.yaml
index a66b994277..30e3f9b386 100644
--- a/atomics/T1127/T1127.yaml
+++ b/atomics/T1127/T1127.yaml
@@ -15,4 +15,4 @@ atomic_tests:
   executor:
     name: command_prompt
     command: |
-     C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe T1127.csproj
+     C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}

From 5b72734e90684a1c98c9302d93a9d0c780b0f913 Mon Sep 17 00:00:00 2001
From: Tim Frazier <tim.frazier@phantom.us>
Date: Thu, 12 Jul 2018 20:39:25 -0400
Subject: [PATCH 7/7] Moving csproj file to src folder

---
 atomics/T1127/{ => src}/T1127.csproj | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename atomics/T1127/{ => src}/T1127.csproj (100%)

diff --git a/atomics/T1127/T1127.csproj b/atomics/T1127/src/T1127.csproj
similarity index 100%
rename from atomics/T1127/T1127.csproj
rename to atomics/T1127/src/T1127.csproj