Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

T1218.002

Browse Source
This commit is contained in:
@
2020-09-20 21:01:50 -05:00
parent 9e709ffe58
commit 07929d190c
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
DefenseEvasion.md
+12
View File
@@ -74,6 +74,18 @@ Breaking down the below query, the first section will detect Atomic Test 1 where
### T1218.002 Control Panel
Atomics: [T1218.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md)
The below query will find all cpl files outside standard directories and all cpl files executed outside of Windows directories.
```
(TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows" AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows")
```
In the future, when **Cross Process Open Process Count** is working, it may be more accurate to detect execution of cpl files where EventType **Open Remote Process Handle** exists, though that can be added to above for filtering but would exclude Process type data.
```
SrcProcName = "rundll32.exe" AND SrcProcCmdLine ContainsCIS "Shell32.dll,Control_RunDLL" AND CrossProcOpenProcCount > 0
```
### T1574.001 DLL Search Order Hijacking
Atomics: [T1574.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md)