Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

T1546.002 Screensaver

Browse Source
This commit is contained in:
keyboardcrunch
2020-09-15 20:28:52 -05:00
committed by GitHub
parent 08549f4716
commit a64e020479
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries.md
+5 -1
View File
@@ -169,9 +169,13 @@ Detects Process Injection through execution of MavInject, filtering out noisy/ex
### T1546.002 Screensaver ### T1546.002 Screensaver
Atomics: [T1546.002]() Atomics: [T1546.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md)
Detects malicious changes to screensaver through Registry changes, filtering expected processes.
```
RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe"))
```
### T1547.005 Security Support Provider ### T1547.005 Security Support Provider
Atomics: [T1547.005]() Atomics: [T1547.005]()