Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-09 09:37:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added T1546.013

Browse Source 
T1546.013 Malicious Process Start Added to Powershell Profile
This commit is contained in:
keyboardcrunch
2020-09-15 17:20:50 -05:00
committed by GitHub
parent a26444ba8d
commit 254ec7feb7
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries.md
+9
View File
@@ -136,3 +136,12 @@ Detects creation or modification of the file at `C:\program.exe` for exploiting
``` ```
(FileFullName = "C:\program.exe" AND EventType In ("File Creation","File Modification")) OR TgtProcImagePath = "C:\program.exe" (FileFullName = "C:\program.exe" AND EventType In ("File Creation","File Modification")) OR TgtProcImagePath = "C:\program.exe"
``` ```
### T1546.013 Malicious Process Start Added to Powershell Profile
Atomics: [T1546.013](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md)
Detects the addition of process execution strings (`TgtProcCmdLine In Contains Anycase (list)`)to the powershell profile, through CommandLine and CommandScript indicators.
```
(SrcProcCmdScript ContainsCIS "Add-Content $profile -Value" AND SrcProcCmdScript ContainsCIS "Start-Process") OR (TgtProcCmdLine ContainsCIS "Add-Content $profile" AND TgtProcCmdLine In Contains Anycase ("Start-Process","& ","cmd.exe /c"))
```