Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added T1176 Browser Extension Installation

Browse Source
This commit is contained in:
@
2020-09-18 14:30:29 -05:00
parent 747886353b
commit 8bf41bd1eb
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Persistence.md
+5
View File
@@ -49,6 +49,11 @@ The below query will find and remote content downloads from DesktopImgDownldr or
### T1176 Browser Extensions
Atomics: [T1176](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md)
This query takes a lazy approach to detecting the staging of xpi or crx extension packages for installation within Chrome and Firefox based browsers. Unsure how to filter our extension updates without excluding too much.
```
( FileFullName RegExp "\bWebstore Downloads\b.*\.(crx)$" OR FileFullName RegExp "\bstaged\b.*\.(xpi)$" ) AND EventType = "File Creation"
```
### T1574.012 COR Profiler
Atomics: [T1574.012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md)