From dc0e511d12513c734b14bd5971dd222444e2ea09 Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Wed, 31 Jan 2018 09:29:11 -0600
Subject: [PATCH] Reactor - Detection - Collection

Added Collection
---
 ARTifacts/Detection/Reactor_detection.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ARTifacts/Detection/Reactor_detection.md b/ARTifacts/Detection/Reactor_detection.md
index a341b99e..498fe148 100644
--- a/ARTifacts/Detection/Reactor_detection.md
+++ b/ARTifacts/Detection/Reactor_detection.md
@@ -64,6 +64,10 @@ Technique: Multiple Discovery
 ## Tactic: Collection
 Technique: [Automated Collection](https://attack.mitre.org/wiki/Technique/T1119)
 
+### Baseline:
+
+    filemod_count:[1 TO 1000] (process_name:cmd.exe OR process_name:powershell.exe)
+
 ## Tactic: Exfiltration
 Technique: [Data Compressed](https://attack.mitre.org/wiki/Technique/T1002)