Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-11 02:21:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added T1546.007 netsh helper dll

Browse Source
This commit is contained in:
keyboardcrunch
2020-09-15 15:44:50 -05:00
committed by GitHub
parent cfdf3a71a0
commit 2b11a2768b
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries.md
+10
View File
@@ -109,3 +109,13 @@ Detects addition of logon scripts through command line or registry methods.
``` ```
SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS "UserInitMprLogonScript" AND EventType = "Registry Value Create") SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS "UserInitMprLogonScript" AND EventType = "Registry Value Create")
``` ```
### T1546.007 Netsh Helper DLL
Atomics: [T1546.007]()
Detection of "helper" dlls with network command shell, through command arguments or registry modification.
```
(TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add helper") OR (RegistryPath ContainsCIS "SOFTWARE\Microsoft\NetSh" AND EventType = "Registry Value Create")
```