Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update PrivilegeEscalation.md

Browse Source
This commit is contained in:
keyboardcrunch
2020-09-16 13:24:21 -05:00
committed by GitHub
parent 113a4dd908
commit 29c34d3d21
1 changed files with 0 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
PrivilegeEscalation.md
-2
View File
@@ -18,7 +18,6 @@ Detections addition of a debugger process to executables using Image File Execut
(RegistryKeyPath ContainsCIS "CurrentVersion\Image File Execution Options" AND RegistryKeyPath ContainsCIS ".exe\Debugger") AND (EventType = "Registry Value Create" OR EventType = "Registry Key Create")
```
### T1546 Application Shimming
Atomics: [T1546.010](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.010.md) ,
[T1546.011](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md)
@@ -220,4 +219,3 @@ Detects Winlogon Helper Dll changes through Registry MetadataIndicator item, as
```
IndicatorMetadata In Contains Anycase ("Microsoft\Windows NT\CurrentVersion\Winlogon","Microsoft\Windows NT\CurrentVersion\Winlogon\Notify") AND IndicatorMetadata In Contains Anycase ("logon","Userinit","Shell") AND IndicatorMetadata Does Not ContainCIS "WINDOWS\system32\userinit.exe"
```