From 24fe744d206dab57dab939895c1320f67ff7e87b Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Fri, 23 Oct 2020 16:48:15 -0500
Subject: [PATCH] T1003.004 LSA Secrets

---
 Tactics/CredentialAccess.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Tactics/CredentialAccess.md b/Tactics/CredentialAccess.md
index 36d1553..0d3f51a 100644
--- a/Tactics/CredentialAccess.md
+++ b/Tactics/CredentialAccess.md
@@ -74,6 +74,11 @@ TgtProcCmdline ContainsCIS "Get-Keystrokes" OR SrcProcCmdScript ContainsCIS "use
 ### T1003.004 LSA Secrets
 Atomics: [T1003.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md)
 
+For simplicity, we're detecting a Cmdline used for both psexec (the test) as well as direct reg.exe LSA extraction.
+
+`
+TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets"
+`
 
 ### T1003.001 LSASS Memory
 Atomics: [T1003.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md)