Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-10 18:11:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

added T1136.001 Local Account

Browse Source
This commit is contained in:
@
2020-09-18 11:16:12 -05:00
parent fd985833c7
commit 1a9bf0677a
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Persistence.md
+6
View File
@@ -109,6 +109,12 @@ RegistryKeyPath In Contains Anycase ("CurrentVersion\Image File Execution Option
### T1136.001 Local Account ### T1136.001 Local Account
Atomics: [T1136.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md) Atomics: [T1136.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md)
In the query below we'll query all instances of local accounts being created for Windows, Linux, and OSX. Depending on your environment, you may find quite a bit of noise with the Linux useradd command.
```
SrcProcCmdLine In Contains Anycase ("net user /add","useradd","New-LocalUser") OR SrcProcCmdLine RegExp "\bdscl\b.*\b/\create\b" OR SrcProcCmdLine RegExp "\bnet localgroup administrators\b.*\b\/add\b"
```
### T1037.001 Logon Scripts (Windows) ### T1037.001 Logon Scripts (Windows)
Atomics: [T1037.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md) Atomics: [T1037.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md)