mirror of
https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries
synced 2026-06-08 17:17:21 +00:00
T1021.001 Scripted Lateral RDP
This commit is contained in:
@
+5
-1
@@ -17,10 +17,14 @@ Detects RDS and RemoteApp session redirections for lateral movement.
|
||||
SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"
|
||||
```
|
||||
|
||||
|
||||
### T1021.001 Remote Desktop Protocol
|
||||
Atomics: [T1021.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md)
|
||||
|
||||
Below query will catch both Atomic tests because it focuses on detecting the use of cmdkey for authenticating RDP sessions (often used for automated lateral movement).
|
||||
|
||||
```
|
||||
TgtProcName = "cmdkey.exe" AND TgtProcCmdLine ContainsCIS "/generic:TERMSRV" AND TgtProcCmdLine ContainsCIS "/user:" AND TgtProcCmdLine ContainsCIS "/pass:"
|
||||
```
|
||||
|
||||
### T1021.002 SMB/Windows Admin Shares
|
||||
Atomics: [T1021.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md)
|
||||
|
||||
Reference in New Issue
Block a user