Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-11 02:21:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

spelling and formatting

Browse Source
This commit is contained in:
@
2020-09-20 20:36:09 -05:00
parent 29d8329562
commit 9e709ffe58
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
DefenseEvasion.md
+2 -2
View File
@@ -3,9 +3,9 @@
### T1055.004 Asynchronous Procedure Call ### T1055.004 Asynchronous Procedure Call
Atomics: [T1055.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md) Atomics: [T1055.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md)
SentinelOne isn't great at detecting all 5 injection methods, only 1 indicator of **RemoteInjection** is caught (Agent v. 4.3.2.86, Liberty SP2). In the future you could probably look for unsigned processes with some sort of combination of Cross Process event types > ##. SentinelOne isn't great at detecting all 5 injection methods, only 1 indicator of **RemoteInjection** is caught (Agent v. 4.3.2.86, Liberty SP2). In the future you could probably look for unsigned processes with some sort of combination of **Cross Process** event types > ##.
Reviewing process execution data for T1055.exe, I noted 4 child calc.exe processes and 2 notepad.exe child processes with their own calc.exe children; both notepad.exe instances had 2 **Process** events despite only having one child (most with CrossProcess entreis in_storyline but only 1 storyline_child). Reviewing process execution data for T1055.exe, I noted 4 child calc.exe processes and 2 notepad.exe child processes with their own calc.exe children; both notepad.exe instances had 2 **Process** events despite only having one child (most with **CrossProcess** entries in_storyline but only 1 storyline_child).
### T1197 BITS Jobs ### T1197 BITS Jobs
Atomics: [T1197](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md) Atomics: [T1197](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md)