Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

T1562.002 Disable Windows Event Logging

Browse Source
This commit is contained in:
@
2020-09-20 21:57:42 -05:00
parent ee235baf2d
commit 1a2a4884e8
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
DefenseEvasion.md
+14
View File
@@ -125,6 +125,20 @@ This Atomic tests detections of certutil encoding and decoding of executables, a
### T1562.002 Disable Windows Event Logging ### T1562.002 Disable Windows Event Logging
Atomics: [T1562.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md) Atomics: [T1562.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md)
#### Atomic #1 - Disable IIS Logging
```
TgtProcName = "appcmd.exe" AND TgtProcCmdLine ContainsCIS "/dontLog:true" AND TgtProcCmdLine ContainsCIS "/section:httplogging"
```
#### Atomic #2 - Kill Eventlog Service Threads
Detection is specific to Invoke-Phant0m strings as the test uses it, and we're hoping to catch renamed and obfuscated versions by catching the TerminateThread call.
```
SrcProcCmdLine ContainsCIS "Invoke-Phant0m" OR SrcProcCmdScript ContainsCIS "$Kernel32::TerminateThread($getThread" OR SrcProcCmdScript ContainsCIS "Invoke-Phant0m"
```
### T1562.004 Disable or Modify System Firewall ### T1562.004 Disable or Modify System Firewall
Atomics: [T1562.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md) Atomics: [T1562.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md)