Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

formatting and added technique

Browse Source 
adde T1546.012 Image File Execution Options Injection
This commit is contained in:
keyboardcrunch
2020-09-15 14:13:18 -05:00
committed by GitHub
parent 1aedf1532f
commit 16bd9f43d0
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries.md
+11
View File
@@ -1,3 +1,6 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
## Privilege Escalation
### T1053.002 AT Scheduled Task ### T1053.002 AT Scheduled Task
Atomics: [T1053.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md) Atomics: [T1053.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md)
@@ -89,3 +92,11 @@ Detects enabling of Guest account, adding Guest account to groups, as well as ch
(SrcProcCmdLine ContainsCIS "net localgroup" AND SrcProcCmdLine ContainsCIS "guest /add") OR (SrcProcCmdLine ContainsCIS "net user" AND SrcProcCmdLine ContainsCIS "/active:yes") OR (RegistryKeyPath In Contains ("Terminal Server\AllowTSConnections","Terminal Server\DenyTSConnections") AND EventType In ("Registry Value Create","Registry Value Modified")) (SrcProcCmdLine ContainsCIS "net localgroup" AND SrcProcCmdLine ContainsCIS "guest /add") OR (SrcProcCmdLine ContainsCIS "net user" AND SrcProcCmdLine ContainsCIS "/active:yes") OR (RegistryKeyPath In Contains ("Terminal Server\AllowTSConnections","Terminal Server\DenyTSConnections") AND EventType In ("Registry Value Create","Registry Value Modified"))
``` ```
### T1546.012 Image File Execution Options Injection
Atomics: [T1546.012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md)
Detection of Image File Execution Options tampering for persistence through Registry monitoring.
```
RegistryKeyPath In Contains Anycase ("CurrentVersion\Image File Execution Options","CurrentVersion\SilentProcessExit") AND RegistryKeyPath In Contains Anycase ("GlobalFlag","ReportingMode","MonitorProcess")
```