From c17dce22d11c2c35e53551c89201960569efccf7 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Fri, 18 Sep 2020 17:43:37 -0500
Subject: [PATCH] added T1059.003 Windows Command Shell

---
 Execution.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Execution.md b/Execution.md
index 59bbb65..8ab262d 100644
--- a/Execution.md
+++ b/Execution.md
@@ -59,6 +59,12 @@ Atomics: [T1059.005](https://github.com/redcanaryco/atomic-red-team/blob/master/
 ### T1059.003 Windows Command Shell
 Atomics: [T1059.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md)
 
+Atomic test cases here simulate execution of batch files, so we're querying for bat files executed where SrcProcParentName isn't an executable we want to filter.
+
+```
+(SrcProcName = "cmd.exe" AND FileFullName ContainsCIS "\Temp" AND FileType = "bat") AND SrcProcParentName Not In ("msiexec.exe")
+```
+
 
 ### T1047 Windows Management Instrumentation
 Atomics: [T1047](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md)