Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-10 18:11:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

T1056.001 Keylogging

Browse Source
This commit is contained in:
@
2020-10-23 16:38:38 -05:00
parent d5c67eb507
commit 62d43adb96
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Tactics/CredentialAccess.md
+5
View File
@@ -65,6 +65,11 @@ Atomics: [T1558.003](https://github.com/redcanaryco/atomic-red-team/blob/master/
### T1056.001 Keylogging ### T1056.001 Keylogging
Atomics: [T1056.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md) Atomics: [T1056.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md)
I wasn't able to get either copy of the Get-Keystrokes.ps1 to work with powershell, but the below should reliably detect invocation by alias or CmdScript line matching.
`
TgtProcCmdline ContainsCIS "Get-Keystrokes" OR SrcProcCmdScript ContainsCIS "user32.dll GetAsyncKeyState" OR SrcProcCmdScript ContainsCIS "[Windows.Forms.Keys][Runtime.InteropServices.Marshal]::ReadInt32("
`
### T1003.004 LSA Secrets ### T1003.004 LSA Secrets
Atomics: [T1003.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md) Atomics: [T1003.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md)