Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 09:15:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

T1055.004

Browse Source
This commit is contained in:
@
2020-09-20 20:24:24 -05:00
parent 9cca8c70c8
commit 6c21202b61
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
DefenseEvasion.md
+4
View File
@@ -3,6 +3,10 @@
### T1055.004 Asynchronous Procedure Call
Atomics: [T1055.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md)
SentinelOne isn't great at detecting all 5 injection methods, only 1 indicator of **RemoteInjection** is caught (Agent v. 4.3.2.86, Liberty SP2). In the future you could probably look for unsigned processes with some sort of combination of Cross Process event types > ##.
Reviewing process execution data for T1055.exe, I noted 4 child calc.exe processes and 2 notepad.exe child processes with their own calc.exe children; both notepad.exe instances had 2 **Process** events despite only having one child (most with CrossProcess entreis in_storyline but only 1 storyline_child).
### T1197 BITS Jobs
Atomics: [T1197](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md)