restructure of directory contents

2026-06-08 17:17:21 +00:00 · 2020-09-27 11:14:21 -05:00
parent 54bfe573f7
commit 9da3392c99
13 changed files with 15 additions and 15 deletions
@@ -1,5 +1,5 @@
 # ATT&amp;CK Mapped SentinelOne Queries
-MITRE ATT&amp;CK mapped queries for SentinelOne Deep Visiblity
+[MITRE ATT&amp;CK](https://attack.mitre.org/) mapped queries for SentinelOne Deep Visiblity
 This project aims to document SentinelOne Deep Visibility queries for detecting Windows TTPs generated by Red Canary Co's Atomic Red Team framework. Not all techniques documented within the Atomic Red Team project will have matching queries, due to limited data sources within SentinelOne some detections will be limited; we'll eventually expand beyond A.R.T. and just call these ATT&CK mapped queries, but I like the idea of having a framework to test these detections. 
@@ -7,29 +7,29 @@ This project aims to document SentinelOne Deep Visibility queries for detecting
 ## Tactics (COMPLETED)
-[Privilege Escalation](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/PrivilegeEscalation.md)
+[Privilege Escalation](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/PrivilegeEscalation.md)
-[Initial Access](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/InitialAccess.md)
+[Initial Access](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/InitialAccess.md)
-[Persistence](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Persistence.md)
+[Persistence](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Persistence.md)
-[Execution](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Execution.md)
+[Execution](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Execution.md)
-[Lateral Movement](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/LateralMovement.md)
+[Lateral Movement](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/LateralMovement.md)
 ## Tactics (IN PROGRESS)
-[Defense Evasion](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/DefenseEvasion.md)
+[Defense Evasion](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/DefenseEvasion.md)
-[Impact](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Impact.md)
+[Impact](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Impact.md)
-[Discovery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Discovery.md)
+[Discovery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Discovery.md)
-[Command and Control](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/CommandAndControl.md)
+[Command and Control](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/CommandAndControl.md)
-[Collection](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Collection.md)
+[Collection](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Collection.md)
-[Exfiltration](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Exfiltration.md)
+[Exfiltration](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/Exfiltration.md)
-[Credential Access](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/CredentialAccess.md)
+[Credential Access](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/CredentialAccess.md)
@@ -26,12 +26,12 @@ The tests for this technique overlap heavily with [T1566.001 Spearphishing Attac
 ### T1106 Native API
 Atomics: [T1106](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md)
-There aren't any combination of available indicator types to query to find malicious uses of WinAPI for process execution, though this test can be detected through [T1027.004 Compile After Delivery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/DefenseEvasion.md#t1027004-compile-after-delivery)
+There aren't any combination of available indicator types to query to find malicious uses of WinAPI for process execution, though this test can be detected through [T1027.004 Compile After Delivery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/DefenseEvasion.md#t1027004-compile-after-delivery)
 ### T1059.001 PowerShell
 Atomics: [T1059.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md)
-Most of the Atomic Tests in this case are detected by their download cradles with [T1566.001 Test 1](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/InitialAccess.md#t1566001-spearphishing-attachment) or `IndicatorName = "ObfuscatedPSCommand"`, if not other LOLBAS detection methods for later portion of command execution.
+Most of the Atomic Tests in this case are detected by their download cradles with [T1566.001 Test 1](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Tactics/InitialAccess.md#t1566001-spearphishing-attachment) or `IndicatorName = "ObfuscatedPSCommand"`, if not other LOLBAS detection methods for later portion of command execution.
 ### T1053.005 Scheduled Tasks
 Atomics: [T1053.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md)