Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

merging changes

Browse Source
This commit is contained in:
@
2020-09-17 16:41:15 -05:00
parent a758a042c5
commit b4081d94bb
12 changed files with 572 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Collection.md
+42
View File
@@ -0,0 +1,42 @@
## Collection
### T1560 Archive Collected Data
Atomics: [T1560](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md)
### T1560.001 Archive via Utility
Atomics: [T1560.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md)
### T1123 Audio Capture
Atomics: [T1123](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md)
### T1119 Automated Collection
Atomics: [T1119](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md)
### T1115 Clipboard Data
Atomics: [T1115](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md)
### T1056.004 Credential API Hooking
Atomics: [T1056.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md)
### T1056.002 GUI Input Capture
Atomics: [T1056.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md)
### T1056.001 Keylogging
Atomics: [T1056.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md)
### T1074.001 Local Data Staging
Atomics: [T1074.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md)
### T1114.001 Local Email Collection
Atomics: [T1114.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md)
CommandAndControl.md
+34
View File
@@ -0,0 +1,34 @@
## Command and Control
### T1071.004 DNS
Atomics: [T1071.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md)
### T1573 Encrypted Channel
Atomics: [T1573](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md)
### T1105 Ingress Tool Transfer
Atomics: [T1105](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md)
### T1090.001 Internal Proxy
Atomics: [T1090.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md)
### T1095 Non-Application Layer Protocol
Atomics: [T1095](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md)
### T1571 Non-Standard Port
Atomics: [T1571](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md)
### T1219 Remote Access Software
Atomics: [T1219](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md)
### T1071.001 Web Protocols
Atomics: [T1071.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md)
CredentialAccess.md
+79
View File
@@ -0,0 +1,79 @@
## Credential Access
### T1056.004 Credential API Hooking
Atomics: [T1056.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md)
### T1552.001 Credentials In Files
Atomics: [T1552.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md)
### T1555.003 Credentials from Web Browsers
Atomics: [T1555.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md)
### T1552.002 Credentials in Registry
Atomics: [T1552.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md)
### T1056.002 GUI Input Capture
Atomics: [T1056.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md)
### T1552.006 Group Policy Preferences
Atomics: [T1552.006](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md)
### T1558.003 Kerberoasting
Atomics: [T1558.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md)
### T1056.001 Keylogging
Atomics: [T1056.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md)
### T1003.004 LSA Secrets
Atomics: [T1003.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md)
### T1003.001 LSASS Memory
Atomics: [T1003.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md)
### T1003.003 NTDS
Atomics: [T1003.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md)
### T1040 Network Sniffing
Atomics: [T1040](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md)
### T1003 OS Credential Dumping
Atomics: [T1003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md)
### T1110.002 Password Cracking
Atomics: [T1110.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md)
### T1556.002 Password Filter DLL
Atomics: [T1556.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md)
### T1110.001 Password Guessing
Atomics: [T1110.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md)
### T1110.003 Password Spraying
Atomics: [T1110.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md)
### T1552.004 Private Keys
Atomics: [T1552.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md)
### T1003.002 Security Account Manager
Atomics: [T1003.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md)
Discovery.md
+94
View File
@@ -0,0 +1,94 @@
## Discovery
### T1010 Application Window Discovery
Atomics: [T1010](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md)
### T1217 Browser Bookmark Discovery
Atomics: [T1217](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md)
### T1087.002 Domain Account
Atomics: [T1087.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md)
### T1069.002 Domain Groups
Atomics: [T1069.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md)
### T1482 Domain Trust Discovery
Atomics: [T1482](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md)
### T1083 File and Directory Discovery
Atomics: [T1083](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md)
### T1087.001 Local Account
Atomics: [T1087.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md)
### T1069.001 Local Groups
Atomics: [T1069.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md)
### T1046 Network Service Scanning
Atomics: [T1046](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md)
### T1135 Network Share Discovery
Atomics: [T1135](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md)
### T1040 Network Sniffing
Atomics: [T1040](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md)
### T1201 Password Policy Discovery
Atomics: [T1201](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md)
### T1057 Process Discovery
Atomics: [T1057](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md)
### T1012 Query Registry
Atomics: [T1012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md)
### T1018 Remote System Discovery
Atomics: [T1018](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md)
### T1518.001 Security Software Discovery
Atomics: [T1518.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md)
### T1518 Software Discovery
Atomics: [T1518](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md)
### T1082 System Information Discovery
Atomics: [T1082](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md)
### T1016 System Network Configuration Discovery
Atomics: [T1016](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md)
### T1049 System Network Connections Discovery
Atomics: [T1049](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md)
### T1033 System Owner/User Discovery
Atomics: [T1033](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md)
### T1007 System Service Discovery
Atomics: [T1007](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md)
### T1124 System Time Discovery
Atomics: [T1124](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md)
Execution.md
+42
View File
@@ -0,0 +1,42 @@
## Execution
### T1053.002 At (Windows)
Atomics: [T1053.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md)
### T1559.002 Dynamic Data Exchange
Atomics: [T1559.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md)
### T1204.002 Malicious File
Atomics: [T1204.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md)
### T1106 Native API
Atomics: [T1106](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md)
### T1059.001 PowerShell
Atomics: [T1059.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md)
### T1053.005 Scheduled Task
Atomics: [T1053.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md)
### T1569.002 Service Execution
Atomics: [T1569.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md)
### T1059.005 Visual Basic
Atomics: [T1059.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md)
### T1059.003 Windows Command Shell
Atomics: [T1059.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md)
### T1047 Windows Management Instrumentation
Atomics: [T1047](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md)
Exfiltration.md
+10
View File
@@ -0,0 +1,10 @@
## Exfiltration
### T1020 Automated Exfiltration
Atomics: [T1020](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md)
### T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Atomics: [T1048.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md)
Impact.md
+22
View File
@@ -0,0 +1,22 @@
## Impact
### T1531 Account Access Removal
Atomics: [T1531](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md)
### T1485 Data Destruction
Atomics: [T1485](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md)
### T1490 Inhibit System Recovery
Atomics: [T1490](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md)
### T1489 Service Stop
Atomics: [T1489](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md)
### T1529 System Shutdown/Reboot
Atomics: [T1529](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md)
LateralMovement.md
+25
View File
@@ -0,0 +1,25 @@
## Lateral Movement
### T1550.002 Pass the Hash
Atomics: [T1550.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md)
### T1550.003 Pass the Ticket
Atomics: [T1550.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md)
### T1563.002 RDP Hijacking
Atomics: [T1563.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md)
### T1021.001 Remote Desktop Protocol
Atomics: [T1021.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md)
### T1021.002 SMB/Windows Admin Shares
Atomics: [T1021.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md)
### T1021.006 Windows Remote Management
Atomics: [T1021.006](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md)
Persistence.md
+208
View File
@@ -0,0 +1,208 @@
## Persistence
### T1546.008 Accessibility Features
Atomics: [T1546.008](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md)
Detections addition of a debugger process to executables using Image File Execution Options.
```
(RegistryKeyPath ContainsCIS "CurrentVersion\Image File Execution Options" AND RegistryKeyPath ContainsCIS ".exe\Debugger") AND (EventType = "Registry Value Create" OR EventType = "Registry Key Create")
```
### T1098 Account Manipulation
Atomics: [T1098](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md)
### T1546.010 Application Shimming
Atomics: [T1546.010](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.010.md) ,
[T1546.011](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md)
Detects application shimming through sdbinst or registry modification.
```
(SrcProcName = "sdbinst.exe" and ProcessCmd ContainsCIS ".sdb") OR ((RegistryKeyPath ContainsCIS "AppInit_DLLs" OR RegistryPath ContainsCIS "AppCompatFlags") AND (EventType = "Registry Value Create" OR EventType = "Registry Value Modified"))
```
### T1053.002 AT Scheduled Task
Atomics: [T1053.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md)
Detect interactive process execution scheduled by AT command.
```
TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive "
```
### T1197 BITS Jobs
Atomics: [T1197](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md)
### T1176 Browser Extensions
Atomics: [T1176](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md)
### T1574.012 COR Profiler
Atomics: [T1574.012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md)
Detection of unmanaged COR profiler hooking of .NET CLR through registry or process command.
```
(SrcProcCmdScript Contains "COR_" AND SrcProcCmdScript Contains "\Environment") OR RegistryKeyPath Contains "COR_PROFILER_PATH" OR SrcProcCmdScript Contains "$env:COR_"
```
### T1546.001 Change Default File Association
Atomics: [T1546.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md)
### T1574.001 DLL Search Order Hijacking
Atomics: [T1574.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md)
Detection of DLL search order hijack for AMSI bypass. Search order bypasses can target more than AMSI, so this can be expanded upon greatly by switching the `ContainsCIS` to `In Contains Anycase(dll list)`.
```
(FileFullName ContainsCIS "amsi.dll" AND FileFullName Does Not ContainCIS "System32") AND EventType = "File Creation"
```
### T1574.002 DLL Side-Loading of Notepad++ GUP.exe
Atomics: [T1574.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md)
Detection for GUP.exe side-loading a dll, where executable has a display name of "WinGup for Notepad++" and has non-standard source process. Keep an eye on Cross Process events or add `AND EventType = "Open Remote Process Handle"` to the query to narrow down target (child) process.
```
TgtProcDisplayName ContainsCIS "WinGup" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe")
```
### T1078.001 Enable Guest account with RDP and Admin
Atomics: [T1078.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md)
Detects enabling of Guest account, adding Guest account to groups, as well as changing of Deny/Allow of Terminal Server connections through Registry changes.
```
(SrcProcCmdLine ContainsCIS "net localgroup" AND SrcProcCmdLine ContainsCIS "guest /add") OR (SrcProcCmdLine ContainsCIS "net user" AND SrcProcCmdLine ContainsCIS "/active:yes") OR (RegistryKeyPath In Contains ("Terminal Server\AllowTSConnections","Terminal Server\DenyTSConnections") AND EventType In ("Registry Value Create","Registry Value Modified"))
```
### T1546.012 Image File Execution Options Injection
Atomics: [T1546.012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md)
Detection of Image File Execution Options tampering for persistence through Registry monitoring.
```
RegistryKeyPath In Contains Anycase ("CurrentVersion\Image File Execution Options","CurrentVersion\SilentProcessExit") AND RegistryKeyPath In Contains Anycase ("GlobalFlag","ReportingMode","MonitorProcess")
```
### T1136.001 Local Account
Atomics: [T1136.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md)
### T1037.001 Logon Scripts (Windows)
Atomics: [T1037.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md)
Detects addition of logon scripts through command line or registry methods.
```
SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS "UserInitMprLogonScript" AND EventType = "Registry Value Create")
```
### T1546.007 Netsh Helper DLL
Atomics: [T1546.007](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md)
Detection of "helper" dlls with network command shell, through command arguments or registry modification.
```
(TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add helper") OR (RegistryPath ContainsCIS "SOFTWARE\Microsoft\NetSh" AND EventType = "Registry Value Create")
```
### T1574.009 Unquoted Service Path for program.exe
Atomics: [T1574.009](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md)
Detects creation or modification of the file at `C:\program.exe` for exploiting unquoted services paths of Program Files folder.
```
(FileFullName = "C:\program.exe" AND EventType In ("File Creation","File Modification")) OR TgtProcImagePath = "C:\program.exe"
```
### T1546.013 Malicious Process Start Added to Powershell Profile
Atomics: [T1546.013](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md)
Detects the addition of process execution strings (`TgtProcCmdLine In Contains Anycase (list)`)to the powershell profile, through CommandLine and CommandScript indicators.
```
(SrcProcCmdScript ContainsCIS "Add-Content $profile -Value" AND SrcProcCmdScript ContainsCIS "Start-Process") OR (TgtProcCmdLine ContainsCIS "Add-Content $profile" AND TgtProcCmdLine In Contains Anycase ("Start-Process","& ","cmd.exe /c"))
```
### T1547.001 Registry Run Keys / Startup Folder
Atomics: [T1547.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md)
### T1053.005 Scheduled Task
Atomics: [T1053.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md)
### T1546.002 Screensaver
Atomics: [T1546.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md)
Detects malicious changes to screensaver through Registry changes, filtering expected processes.
```
RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe","CcmExec.exe"))
```
### T1547.005 Security Support Provider
Atomics: [T1547.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md)
Detection of changes to Security Support Provider through Registry modification. Filters most standard system changes with `SrcProcName Not In (list)` but there will be some noise from installers.
```
RegistryKeyPath ContainsCIS "\Control\Lsa\Security Packages" AND (SrcProcName Not In ("services.exe","SetupHost.exe","svchost.exe") AND SrcProcCmdLine Does Not ContainCIS "system32\wsauth.dll")
```
### T1574.010 Services File Permissions Weakness
Atomics: [T1574.010](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.010/T1574.010.md)
### T1574.011 Services Registry Permissions Weakness
Atomics: [T1574.011](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md)
### T1547.009 Startup Shortcuts
Atomics: [T1547.009](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md)
Focuses on Test 2: Detection .lnk or .url files written to Startup folders. Filters noise with `SrcProcName Not In (list)` but you can remove noise from 3rd party update services updating their links by adding `SrcProcParentName != "userinit.exe"` to the query.
```
(FileFullName ContainsCIS "Microsoft\Windows\Start Menu\Programs\Startup" AND TgtFileExtension In Contains ("lnk","url") AND EventType = "File Creation") AND SrcProcName Not In ("ONENOTE.EXE","msiexec.exe")
```
### T1505.002 Transport Agent
Atomics: [T1505.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md)
### T1505.003 Web Shell
Atomics: [T1505.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md)
### T1546.003 Windows Management Instrumentation Event Subscription
Atomics: [T1546.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md)
Detect WMI Event Subs using the New-CimInstance cmdlet, through CommandLine and CommandScript indicators.
```
SrcProcCmdLine ContainsCIS "New-CimInstance -Namespace root/subscription" OR SrcProcCmdScript ContainsCIS "New-CimInstance -Namespace root/subscription"
```
### T1543.003 Windows Service
Atomics: [T1543.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md)
Detects creation and modification of windows services through binPath argument to sc.exe.
```
TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath="
```
### T1547.004 Winlogon Helper DLL
Atomics: [T1547.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md)
Detects Winlogon Helper Dll changes through Registry MetadataIndicator item, as it holds the full registry change info but will only return data of the Indicators object type.
```
IndicatorMetadata In Contains Anycase ("Microsoft\Windows NT\CurrentVersion\Winlogon","Microsoft\Windows NT\CurrentVersion\Winlogon\Notify") AND IndicatorMetadata In Contains Anycase ("logon","Userinit","Shell") AND IndicatorMetadata Does Not ContainCIS "WINDOWS\system32\userinit.exe"
```
PrivilegeEscalation.md
+2 -2
View File
@@ -32,7 +32,7 @@ Detects application shimming through sdbinst or registry modification.
Atomics: [T1548.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md)
Detection of UAC bypass through tampering with Shell Open for .ms-settings or .msc file types.
`Noted issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key paths wer ControlSet001\Service\bam\State\UserSettings\GUID\...`
** Noted issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key paths wer ControlSet001\Service\bam\State\UserSettings\GUID\... ***
```
SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command"
@@ -172,7 +172,7 @@ Atomics: [T1546.002](https://github.com/redcanaryco/atomic-red-team/blob/master/
Detects malicious changes to screensaver through Registry changes, filtering expected processes.
```
RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe"))
RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe","CcmExec.exe"))
```
### T1547.005 Security Support Provider
README.md
+12 -14
View File
@@ -1,7 +1,9 @@
# ATT&CK Mapped SentinelOne Queries
MITRE ATT&CK mapped queries for SentinelOne Deep Visiblity
This project aims to document SentinelOne Deep Visibility queries for detecting Windows TTPs generated by Red Canary Co's Atomic Red Team framework. These queries have been crafted and tested on Liberty console release and should support Deep Visibility 3.0. Recommending that your Sentinel Agents be on 4.2.x or newer, as some of the indicators data being queried is only collected by newer agents.
This project aims to document SentinelOne Deep Visibility queries for detecting Windows TTPs generated by Red Canary Co's Atomic Red Team framework. Not all techniques documented within the Atomic Red Team project will have matching queries, due to limited data sources within SentinelOne some detections will be limited; we'll eventually expand beyond A.R.T. and just call these ATT&CK mapped queries, but I like the idea of having a framework to test these detections.
** These queries have been crafted and tested on Liberty console release and should support Deep Visibility 3.0. Recommending that your Sentinel Agents be on 4.2.x or newer, as some of the indicators data being queried is only collected by newer agents. **
## Tactics (COMPLETED)
@@ -14,24 +16,20 @@ This project aims to document SentinelOne Deep Visibility queries for detecting
[Defense Evasion](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/DefenseEvasion.md)
[Persistence](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Persistence.exe)
## Tactics (PENDING)
[Persistence]()
[Impact](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Impact.md)
[Impact]()
[Discovery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Discovery.md)
[Discovery]()
[Command and Control](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/CommandAndControl.md)
[Command and Control]()
[Collection](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Collection.md)
[Collection]()
[Execution](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Execution.md)
[Execution]()
[Exfiltration]()
[Credential Access]()
[Lateral Movement]()
[Exfiltration](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Exfiltration.md)
[Credential Access](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/CredentialAccess.md)
[Lateral Movement](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/LateralMovement.md)