Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added T1490

Browse Source
This commit is contained in:
@
2020-09-27 12:02:04 -05:00
parent 40b378a6e3
commit d5ca86bf47
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Tactics/Impact.md
+6 -1
View File
@@ -12,7 +12,7 @@ SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR TgtPr
### T1485 Data Destruction ### T1485 Data Destruction
Atomics: [T1485](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md) Atomics: [T1485](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md)
Detection of SDelete (by display name) and execution of DD command on *nix operating systems. Detection of SDelete (by display name) and execution of DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support `TgtFileDeletionCount > "100"` query for detection of over 100 files deleted, which can be combined with *FileType* for filtering.
``` ```
(AgentOS In ("linux","osx") AND TgtProcName = "dd" AND TgtProcCmdLine ContainsCIS "of=") OR TgtProcDisplayName = "Secure file delete" (AgentOS In ("linux","osx") AND TgtProcName = "dd" AND TgtProcCmdLine ContainsCIS "of=") OR TgtProcDisplayName = "Secure file delete"
@@ -21,6 +21,11 @@ Detection of SDelete (by display name) and execution of DD command on *nix opera
### T1490 Inhibit System Recovery ### T1490 Inhibit System Recovery
Atomics: [T1490](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md) Atomics: [T1490](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md)
Detects the use of vssadmin, wbadmin, bcdedit and powershell deletion of shadowcopy content and disabling of system recovery.
```
TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy" AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy" AND SrcProcCmdScript ContainsCIS "Delete()")
```
### T1489 Service Stop ### T1489 Service Stop
Atomics: [T1489](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md) Atomics: [T1489](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md)