Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added T1505.002 Transport Agent

Browse Source
This commit is contained in:
@
2020-09-18 16:13:35 -05:00
parent e98fca7964
commit 70c5d60778
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Persistence.md
+6
View File
@@ -234,6 +234,12 @@ Focuses on Test 2: Detection .lnk or .url files written to Startup folders. Filt
### T1505.002 Transport Agent ### T1505.002 Transport Agent
Atomics: [T1505.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md) Atomics: [T1505.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md)
Detection of Powershell TransportAgent Cmdlets being used to setup an Exchange Transport Agent.
```
SrcProcCmdLine In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent") OR SrcProcCmdScript In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent")
```
### T1505.003 Web Shell ### T1505.003 Web Shell
Atomics: [T1505.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md) Atomics: [T1505.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md)