From f308db7af926769c9c626ee2a1595ec8b51017aa Mon Sep 17 00:00:00 2001
From: Retrospected <sandermaas@gmail.com>
Date: Wed, 18 Dec 2024 17:52:10 +0100
Subject: [PATCH] Fix T1547.001 test b051b3c0-66e7-4a81-916d-e6383bd3a669 by
 adding /f argument to the reg modification by reg.exe (#3017)

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
---
 atomics/T1547.001/T1547.001.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml
index bb0b61f348..c8de9aa211 100644
--- a/atomics/T1547.001/T1547.001.yaml
+++ b/atomics/T1547.001/T1547.001.yaml
@@ -392,8 +392,8 @@ atomic_tests:
       default: calc
   executor:
     command: |
-      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
-    cleanup_command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /v StartupPrograms /t REG_SZ /d "rdpclip"
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /f /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
+    cleanup_command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /f /v StartupPrograms /t REG_SZ /d "rdpclip"
     name: command_prompt    
     elevation_required: true
     
@@ -412,6 +412,6 @@ atomic_tests:
   executor:
     command: |
       reg add HKLM\System\CurrentControlSet\Control\BootVerificationProgram /v ImagePath /t REG_SZ /d "#{malicious_file}"
-    cleanup_command: reg delete HKLM\System\CurrentControlSet\Control\BootVerificationProgram
+    cleanup_command: reg delete HKLM\System\CurrentControlSet\Control\BootVerificationProgram /f
     name: command_prompt    
     elevation_required: true