From 3d2018b41bfa4735649d06519b744b680f9b2323 Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Fri, 9 Sep 2022 11:07:11 -0600
Subject: [PATCH] add link to blog post for more info (#2129)

* add link to blog post for more info

* Update T1218.011.yaml

Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
---
 atomics/T1218.011/T1218.011.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml
index 63ff5170..91690442 100644
--- a/atomics/T1218.011/T1218.011.yaml
+++ b/atomics/T1218.011/T1218.011.yaml
@@ -4,7 +4,10 @@ atomic_tests:
 - name: Rundll32 execute JavaScript Remote Payload With GetObject
   auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
   description: |
-    Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
+    Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. 
+    This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/)
+    
+    Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed. 
   supported_platforms:
   - windows
   input_arguments:
@@ -275,4 +278,4 @@ atomic_tests:
       copy #{exe_to_launch} not_an_scr.scr
       rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
     cleanup_command: 
-      del not_an_scr.scr
\ No newline at end of file
+      del not_an_scr.scr