Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 09:15:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Putting wrap on Exfil queries for now

Browse Source
This commit is contained in:
@
2020-09-27 12:22:16 -05:00
parent cef2936e2d
commit b531c3e775
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Tactics/Exfiltration.md
+6 -4
View File
@@ -1,10 +1,12 @@
## Exfiltration
There are a number of ways to use current supported indicators to detect data exfiltration, some with higher accuracy than others. Detection by command lines can have environmental noise, detection based on network connection indicators may require lost of custom filtering as well. Exfiltration queries need to be expanded, but for now I've limited them to the Atomic Red Team tests that can be detected.
### T1020 Automated Exfiltration
Atomics: [T1020](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md)
Detection of powershell data POST and PUT with Invoke-WebRequest.
### T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Atomics: [T1048.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md)
```
SrcProcCmdLine ContainsCIS "Invoke-WebRequest" AND (SrcProcCmdLine ContainsCIS "-Method Put" OR SrcProcCmdLine ContainsCIS "-Method Post")
```