From 23e97ac3c4c98b33a5153a1b638d4e8cdf042bc8 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 27 Sep 2020 09:52:42 -0500
Subject: [PATCH] T1021.001 Scripted Lateral RDP

---
 LateralMovement.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/LateralMovement.md b/LateralMovement.md
index 5f5d89f..212a89d 100644
--- a/LateralMovement.md
+++ b/LateralMovement.md
@@ -17,10 +17,14 @@ Detects RDS and RemoteApp session redirections for lateral movement.
 SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"
 ```
 
-
 ### T1021.001 Remote Desktop Protocol
 Atomics: [T1021.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md)
 
+Below query will catch both Atomic tests because it focuses on detecting the use of cmdkey for authenticating RDP sessions (often used for automated lateral movement).
+
+```
+TgtProcName = "cmdkey.exe" AND TgtProcCmdLine ContainsCIS "/generic:TERMSRV" AND TgtProcCmdLine ContainsCIS "/user:" AND TgtProcCmdLine ContainsCIS "/pass:"
+```
 
 ### T1021.002 SMB/Windows Admin Shares
 Atomics: [T1021.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md)