From 1de20cecc638380b3598df56a662bcb385551ee1 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 27 Sep 2020 11:07:13 -0500
Subject: [PATCH] more ttps

---
 LateralMovement.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/LateralMovement.md b/LateralMovement.md
index 358c13c..8a31449 100644
--- a/LateralMovement.md
+++ b/LateralMovement.md
@@ -30,7 +30,19 @@ TgtProcName = "cmdkey.exe" AND TgtProcCmdLine ContainsCIS "/generic:TERMSRV" AND
 ### T1021.002 SMB/Windows Admin Shares
 Atomics: [T1021.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md)
 
+Detecting the creation and use of may catch a lot of legitimate activity, I wouldn't recommend subscribing to this query.
+
+```
+TgtProcCmdLine ContainsCIS "New-PSDrive" OR (TgtProcName = "net.exe" AND TgtProcCmdLine ContainsCIS "use ")
+```
 
 ### T1021.006 Windows Remote Management
 Atomics: [T1021.006](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md)
 
+The below query (in order) remote process executions through MMC, WMIC, and PsExec (by name or display name). Also of note, there are only 3 tests documented for this Atomic, yet there are 6 tests, so the below query focuses on detectability.
+
+*PsExec detection may have a lot of noise depending on your environment, and may require additional filtering.*
+
+```
+(TgtProcCmdLine ContainsCIS "GetTypeFromProgID(" AND TgtProcCmdLine ContainsCIS "MMC20.application" AND TgtProcCmdLine ContainsCIS ".Document.ActiveView.ExecuteShellCommand(") OR (TgtProcName = "wmic.exe" AND TgtProcCmdLine ContainsCIS "/node:" AND TgtProcCmdLine ContainsCIS "process call create") OR ((SrcProcName ContainsCIS "psexec.exe" OR SrcProcDisplayName = "Execute processes remotely") AND DstIp Is Not Empty)
+```
\ No newline at end of file