diff --git a/DefenseEvasion.md b/DefenseEvasion.md
index 7ad2f7b..4400dc5 100644
--- a/DefenseEvasion.md
+++ b/DefenseEvasion.md
@@ -34,6 +34,10 @@ Atomics: [T1070.001](https://github.com/redcanaryco/atomic-red-team/blob/master/
 ### T1027.004 Compile After Delivery
 Atomics: [T1027.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md)
 
+```
+(TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName  = "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe","AbtSvcHost_.exe"))
+```
+
 ### T1218.001 Compiled HTML File
 Atomics: [T1218.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md)
 
diff --git a/Execution.md b/Execution.md
index bbaea1f..ee1f8c9 100644
--- a/Execution.md
+++ b/Execution.md
@@ -12,11 +12,12 @@ TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive "
 ### T1559.002 Dynamic Data Exchange
 Atomics: [T1559.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md)
 
+Latest Office 365 clients weren't executing DDE code but were providing warnings, so my simulations were unsucessful. The T1204.002 detection immediately below should cover processes spawned from Office applications.
 
 ### T1204.002 Malicious Documents
 Atomics: [T1204.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md)
 
-The tests for this technique overlap heavily with [T1566.001 Spearphishing Attachment](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/a2fd4227666db3f1c5d6713ae3e3b21bf5343b79/InitialAccess.md#t1566001-spearphishing-attachment) due to similar download and macro detections, so here we're focusing on detecting Office applications launching processes. The below query will cover tests 1, 3 and 4 but test [#2](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md#atomic-test-2---ostap-payload-download) is standalone cscript execution and will be detected with other queries.
+The tests for this technique overlap heavily with [T1566.001 Spearphishing Attachment](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/InitialAccess.md#t1566001-spearphishing-attachment) due to similar download and macro detections, so here we're focusing on detecting Office applications launching processes. The below query will cover tests 1, 3 and 4 but test [#2](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md#atomic-test-2---ostap-payload-download) is standalone cscript execution and will be detected with other queries.
 
 ```
 (SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe")) OR IndicatorName = "SuspiciousDocument"
@@ -25,6 +26,7 @@ The tests for this technique overlap heavily with [T1566.001 Spearphishing Attac
 ### T1106 Native API
 Atomics: [T1106](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md)
 
+There aren't any combination of available indicator types to query to find malicious uses of WinAPI for process execution, though this test can be detected through [T1027.004 Compile After Delivery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/DefenseEvasion.md#t1027004-compile-after-delivery)
 
 ### T1059.001 PowerShell
 Atomics: [T1059.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md)