mirror of
https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries
synced 2026-06-08 17:17:21 +00:00
added desc to T1027.004
This commit is contained in:
@
@@ -34,6 +34,8 @@ Atomics: [T1070.001](https://github.com/redcanaryco/atomic-red-team/blob/master/
|
||||
### T1027.004 Compile After Delivery
|
||||
Atomics: [T1027.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md)
|
||||
|
||||
Both Atomic tests for this technique leverage csc.exe for compilation of code. The below will detect specific compilation of executables as well as dynamic compilation through detection of csc.exe creating executable files (both dll and exe).
|
||||
|
||||
```
|
||||
(TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName = "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe","AbtSvcHost_.exe"))
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user