ARTifacts - Detections

Adding a few detections for some Chain Reactions.

ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat

@@ -1,3 +1,5 @@
+::Chain Reaction - Cyclotron
+::
 :: In this test we will executing a binary multiple ways.
 :: Some of these are Application Whitelisting Bypasses
 :: Either Clone the Repo, or Download the AllTheThings DLL Somehow ;-)

ARTifacts/Detection/Argonaut_detection.md

@@ -0,0 +1,12 @@
+# Chain Reaction - Argonaut - Detection
+
+[Chain Reaction - Argonaut](https://github.com/redcanaryco/atomic-red-team/blob/master/ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1)
+
+## Tactics: Execution, Discovery
+
+Technique: [PowerShell](https://attack.mitre.org/wiki/Technique/T1086)
+
+### Baseline
+
+    process_name:powershell.exe AND netconn_count:[1 TO *]
+    filemod:\AppData\Local\Temp\*.bat

ARTifacts/Detection/Cyclotron_detection.md

@@ -0,0 +1,22 @@
+# Chain Reaction - Cyclotron - Detection
+
+[Chain Reaction - Cyclotron](https://github.com/redcanaryco/atomic-red-team/blob/master/ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat)
+
+## Tactic: Execution
+
+ Technique: [Installutil](https://attack.mitre.org/wiki/Technique/T1118)
+
+ Technique: [regsvcs/regasm](https://attack.mitre.org/wiki/Technique/T1121)
+
+ Technique: [regsvr32](https://attack.mitre.org/wiki/Technique/T1117)
+
+ Technique: [rundll32](https://attack.mitre.org/wiki/Technique/T1085)
+
+### Baseline
+
+    process_name:installutil.exe
+    process_name:installutil.exe cmdline:\/LogToConsole=false
+    process_name:regsvcs.exe
+    process_name:regasm.exe
+    process_name:regsvr32.exe cmdline:/s
+    process_name:rundll32.exe