Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added T1489

Browse Source
This commit is contained in:
@
2020-09-27 12:11:07 -05:00
parent ee7bfc3817
commit c62672e0c3
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Tactics/Impact.md
+8 -1
View File
@@ -27,6 +27,13 @@ Detects the use of vssadmin, wbadmin, bcdedit and powershell deletion of shadowc
TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy" AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy" AND SrcProcCmdScript ContainsCIS "Delete()")
```
### T1489 Service Stop
### T1489 Service Disable
Atomics: [T1489](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md)
Stopping services is too common, so we're instead detecting the disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet.
*Atomic tests don't align with detection query*
```
(TgtProcName = "WMIC.exe" AND TgtProcCmdLine ContainsCIS "call ChangeStartmode Disabled") OR (TgtProcName = "sc.exe" AND TgtProcCmdLine ContainsCIS "disabled") OR (TgtProcCmdLine ContainsCIS "Set-Service" AND TgtProcCmdLine ContainsCIS "-StartupType Disabled")
```