Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

T1555.003 Modified AccessChk

Browse Source
This commit is contained in:
@
2020-10-23 15:05:20 -05:00
parent f30d6d6bff
commit 619c7d57fc
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Tactics/CredentialAccess.md
+7
View File
@@ -23,6 +23,13 @@ TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern pa
### T1555.003 Credentials from Web Browsers ### T1555.003 Credentials from Web Browsers
Atomics: [T1555.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md) Atomics: [T1555.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md)
#### Test #1 - Modified SysInternals AccessChk Chrome password collector
To focus on detection, we're looking for AccessChk.exe where the DisplayName does not match that of the original. There's 4X as many Cross_Process objects with this query but none detect the collection of the Chrome password db.
`
TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective permissions for securable objects"
`
### T1552.002 Credentials in Registry ### T1552.002 Credentials in Registry
Atomics: [T1552.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md) Atomics: [T1552.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md)