Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added T1053.005 Scheduled Tasks

Browse Source
This commit is contained in:
@
2020-09-18 15:52:24 -05:00
parent 6d5b13d208
commit afb9bac150
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Persistence.md
+5
View File
@@ -184,6 +184,11 @@ FileFullName ContainsCIS "Programs\Startup" AND FileType In Contains Anycase ("v
### T1053.005 Scheduled Task ### T1053.005 Scheduled Task
Atomics: [T1053.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md) Atomics: [T1053.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md)
Our goal with this query is to detect any schtasks /create command as well as any use of the New-ScheduledTask* cmdlets from powershell, and to prevent noise from services and updates we'll exclude a list of system "trusted" SrcProcParentName executables.
```
(( TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create" ) OR ( SrcProcCmdLine ContainsCIS "New-ScheduledTask" OR SrcProcCmdScript ContainsCIS "New-ScheduledTask" )) AND SrcProcParentName Not In ("services.exe","OfficeClickToRun.exe")
```
### T1546.002 Screensaver ### T1546.002 Screensaver
Atomics: [T1546.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md) Atomics: [T1546.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md)