Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

T1550 PtH and PtT

Browse Source
This commit is contained in:
@
2020-09-27 10:00:25 -05:00
parent 23e97ac3c4
commit 5e824edf8b
1 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
LateralMovement.md
+7 -6
View File
@@ -1,12 +1,13 @@
## Lateral Movement
### T1550.002 Pass the Hash
Atomics: [T1550.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md)
### T1550 Pass the Hash & Pass the Ticket
Atomics: [T1550.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md), [T1550.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md)
Here we're focusing on detecting command line arguments of Mimikatz, so binary and powershell mimikatz will be detected assuming arguments haven't been modified before deployment.
### T1550.003 Pass the Ticket
Atomics: [T1550.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md)
```
TgtProcCmdLine In Contains Anycase ("sekurlsa::pth","/ntlm:","kerberos::ptt")
```
### T1563.002 RDP Hijacking
Atomics: [T1563.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md)
@@ -17,7 +18,7 @@ Detects RDS and RemoteApp session redirections for lateral movement.
SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"
```
### T1021.001 Remote Desktop Protocol
### T1021.001 Scripted Lateral RDP
Atomics: [T1021.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md)
Below query will catch both Atomic tests because it focuses on detecting the use of cmdkey for authenticating RDP sessions (often used for automated lateral movement).