From 4df65234e90da4052bc54aa9532fa96248d21833 Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Fri, 9 Sep 2022 17:07:44 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/index.yaml     | 10 ++++++----
 atomics/T1218.011/T1218.011.md |  5 ++++-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 87957a9d..86e45f16 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -241,10 +241,12 @@ defense-evasion:
     atomic_tests:
     - name: Rundll32 execute JavaScript Remote Payload With GetObject
       auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
-      description: 'Test execution of a remote script using rundll32.exe. Upon execution
-        notepad.exe will be opened.
-
-        '
+      description: "Test execution of a remote script using rundll32.exe. Upon execution
+        notepad.exe will be opened. \nThis has been used by Win32/Poweliks malware
+        and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/)\n\nNote:
+        The GetObject function is no longer supported in Internet Explorer v9 (2011)
+        and later so this technique would only work where very old versions of IE
+        are installed. \n"
       supported_platforms:
       - windows
       input_arguments:
diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md
index 86dfd3dd..264219bb 100644
--- a/atomics/T1218.011/T1218.011.md
+++ b/atomics/T1218.011/T1218.011.md
@@ -40,7 +40,10 @@ Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techni
 <br/>
 
 ## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject
-Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
+Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. 
+This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/)
+
+Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed.
 
 **Supported Platforms:** Windows