From 901d2275c4728288d2bda46aa87d02fca7bec794 Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Thu, 1 Feb 2018 15:46:25 -0600
Subject: [PATCH] ARTifacts - Detections

Adding a few detections for some Chain Reactions.
---
 .../chain_reaction_Cyclotron.bat              |  2 ++
 ARTifacts/Detection/Argonaut_detection.md     | 12 ++++++++++
 ARTifacts/Detection/Cyclotron_detection.md    | 22 +++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 ARTifacts/Detection/Argonaut_detection.md
 create mode 100644 ARTifacts/Detection/Cyclotron_detection.md

diff --git a/ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat b/ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat
index c7d9a2fa..ea02a1de 100644
--- a/ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat
+++ b/ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat
@@ -1,3 +1,5 @@
+::Chain Reaction - Cyclotron
+::
 :: In this test we will executing a binary multiple ways.
 :: Some of these are Application Whitelisting Bypasses
 :: Either Clone the Repo, or Download the AllTheThings DLL Somehow ;-)
diff --git a/ARTifacts/Detection/Argonaut_detection.md b/ARTifacts/Detection/Argonaut_detection.md
new file mode 100644
index 00000000..3ca983cc
--- /dev/null
+++ b/ARTifacts/Detection/Argonaut_detection.md
@@ -0,0 +1,12 @@
+# Chain Reaction - Argonaut - Detection
+
+[Chain Reaction - Argonaut](https://github.com/redcanaryco/atomic-red-team/blob/master/ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1)
+
+## Tactics: Execution, Discovery
+
+Technique: [PowerShell](https://attack.mitre.org/wiki/Technique/T1086)
+
+### Baseline
+
+    process_name:powershell.exe AND netconn_count:[1 TO *]
+    filemod:\AppData\Local\Temp\*.bat
diff --git a/ARTifacts/Detection/Cyclotron_detection.md b/ARTifacts/Detection/Cyclotron_detection.md
new file mode 100644
index 00000000..01ea8474
--- /dev/null
+++ b/ARTifacts/Detection/Cyclotron_detection.md
@@ -0,0 +1,22 @@
+# Chain Reaction - Cyclotron - Detection
+
+[Chain Reaction - Cyclotron](https://github.com/redcanaryco/atomic-red-team/blob/master/ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat)
+
+## Tactic: Execution
+
+ Technique: [Installutil](https://attack.mitre.org/wiki/Technique/T1118)
+
+ Technique: [regsvcs/regasm](https://attack.mitre.org/wiki/Technique/T1121)
+
+ Technique: [regsvr32](https://attack.mitre.org/wiki/Technique/T1117)
+
+ Technique: [rundll32](https://attack.mitre.org/wiki/Technique/T1085)
+
+### Baseline
+
+    process_name:installutil.exe
+    process_name:installutil.exe cmdline:\/LogToConsole=false
+    process_name:regsvcs.exe
+    process_name:regasm.exe
+    process_name:regsvr32.exe cmdline:/s
+    process_name:rundll32.exe