T1550 PtH and PtT

LateralMovement.md

@@ -1,12 +1,13 @@
 ## Lateral Movement
 
-### T1550.002 Pass the Hash
+### T1550 Pass the Hash & Pass the Ticket
-Atomics: [T1550.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md)
+Atomics: [T1550.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md), [T1550.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md)
 
+Here we're focusing on detecting command line arguments of Mimikatz, so binary and powershell mimikatz will be detected assuming arguments haven't been modified before deployment. 
 
-### T1550.003 Pass the Ticket
+```
-Atomics: [T1550.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md)
+TgtProcCmdLine In Contains Anycase ("sekurlsa::pth","/ntlm:","kerberos::ptt")
-
+```
 
 ### T1563.002 RDP Hijacking
 Atomics: [T1563.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md)
@@ -17,7 +18,7 @@ Detects RDS and RemoteApp session redirections for lateral movement.
 SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"
 ```
 
-### T1021.001 Remote Desktop Protocol
+### T1021.001 Scripted Lateral RDP
 Atomics: [T1021.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md)
 
 Below query will catch both Atomic tests because it focuses on detecting the use of cmdkey for authenticating RDP sessions (often used for automated lateral movement).