Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-10 18:11:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

T1552.001 LaZagne and findstr

Browse Source
This commit is contained in:
@
2020-10-23 14:04:26 -05:00
parent de7146f4c4
commit 69e0d5a835
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Tactics/CredentialAccess.md
+10
View File
@@ -8,6 +8,16 @@ Atomics: [T1056.004](https://github.com/redcanaryco/atomic-red-team/blob/master/
### T1552.001 Credentials In Files ### T1552.001 Credentials In Files
Atomics: [T1552.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md) Atomics: [T1552.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md)
#### Test #1 - LaZagne
LaZagne happens to spawn 3 cmd shells to save security, system and sam RegKeys, and the standard compiled release from github will have the original name artifact of lazagne.exe.manifest within the %temp%\_MEI?????\lazagne.exe.manifest location.
`
TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"
`
#### Test #3 - findstr password extraction
`
TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern password"
`
### T1555.003 Credentials from Web Browsers ### T1555.003 Credentials from Web Browsers
Atomics: [T1555.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md) Atomics: [T1555.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md)