Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

updated formatting for T1547.001

Browse Source
This commit is contained in:
@
2020-09-18 15:40:13 -05:00
parent eb9926dcd9
commit 6d5b13d208
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Persistence.md
+2
View File
@@ -166,6 +166,7 @@ Detects the addition of process execution strings (`TgtProcCmdLine In Contains A
Atomics: [T1547.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md) Atomics: [T1547.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md)
**Atomic Tests 1-3, Registry Run Keys** **Atomic Tests 1-3, Registry Run Keys**
Here we're just focusing on the addition of registry keys to Run, RunOnce, RunOnceEx keys where Parent Process isn't "trusted". Here we're just focusing on the addition of registry keys to Run, RunOnce, RunOnceEx keys where Parent Process isn't "trusted".
``` ```
@@ -173,6 +174,7 @@ Here we're just focusing on the addition of registry keys to Run, RunOnce, RunOn
``` ```
**Atomic Tests 4-6, Startup folder execution** **Atomic Tests 4-6, Startup folder execution**
With the query below we'll focus on catching any vbs, jse or bat files being written to any Programs\StartUp folder, be that ProgramData or AppData locations. With the query below we'll focus on catching any vbs, jse or bat files being written to any Programs\StartUp folder, be that ProgramData or AppData locations.
``` ```