From 70c5d6077828879a0872b0432d66079716a4d0b8 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Fri, 18 Sep 2020 16:13:35 -0500
Subject: [PATCH] Added T1505.002 Transport Agent

---
 Persistence.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Persistence.md b/Persistence.md
index 532303f..d63c4fc 100644
--- a/Persistence.md
+++ b/Persistence.md
@@ -234,6 +234,12 @@ Focuses on Test 2: Detection .lnk or .url files written to Startup folders. Filt
 ### T1505.002 Transport Agent
 Atomics: [T1505.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md)
 
+Detection of Powershell TransportAgent Cmdlets being used to setup an Exchange Transport Agent.
+
+```
+SrcProcCmdLine In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent") OR SrcProcCmdScript In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent")
+```
+
 
 ### T1505.003 Web Shell
 Atomics: [T1505.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md)