Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-10 18:11:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

added T1574.012 COR Profiler

Browse Source
This commit is contained in:
keyboardcrunch
2020-09-14 19:53:24 -05:00
committed by GitHub
parent fda9ecadb2
commit 87e6932879
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries.md
+9
View File
@@ -37,3 +37,12 @@ Detection of UAC bypass through tampering with Shell Open for .ms-settings or .m
``` ```
SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command" SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command"
``` ```
### T1574.012 COR Profiler
Atomics: [T1574.012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md)
Detection of unmanaged COR profiler hooking of .NET CLR through registry or process command.
```
(SrcProcCmdScript Contains "COR_" AND SrcProcCmdScript Contains "\Environment") OR RegistryKeyPath Contains "COR_PROFILER_PATH" OR SrcProcCmdScript Contains "$env:COR_"
```