Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

added T1059.003 Windows Command Shell

Browse Source
This commit is contained in:
@
2020-09-18 17:43:37 -05:00
parent ac56189245
commit c17dce22d1
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Execution.md
+6
View File
@@ -59,6 +59,12 @@ Atomics: [T1059.005](https://github.com/redcanaryco/atomic-red-team/blob/master/
### T1059.003 Windows Command Shell ### T1059.003 Windows Command Shell
Atomics: [T1059.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md) Atomics: [T1059.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md)
Atomic test cases here simulate execution of batch files, so we're querying for bat files executed where SrcProcParentName isn't an executable we want to filter.
```
(SrcProcName = "cmd.exe" AND FileFullName ContainsCIS "\Temp" AND FileType = "bat") AND SrcProcParentName Not In ("msiexec.exe")
```
### T1047 Windows Management Instrumentation ### T1047 Windows Management Instrumentation
Atomics: [T1047](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md) Atomics: [T1047](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md)