Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

updated formatting for T1547.001

Browse Source
This commit is contained in:
@
2020-09-18 15:40:13 -05:00
parent eb9926dcd9
commit 6d5b13d208
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Persistence.md
+2
View File
@@ -166,6 +166,7 @@ Detects the addition of process execution strings (`TgtProcCmdLine In Contains A
Atomics: [T1547.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md)
**Atomic Tests 1-3, Registry Run Keys**
Here we're just focusing on the addition of registry keys to Run, RunOnce, RunOnceEx keys where Parent Process isn't "trusted".
```
@@ -173,6 +174,7 @@ Here we're just focusing on the addition of registry keys to Run, RunOnce, RunOn
```
**Atomic Tests 4-6, Startup folder execution**
With the query below we'll focus on catching any vbs, jse or bat files being written to any Programs\StartUp folder, be that ProgramData or AppData locations.
```