Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

added CMSTPLUA COM UAC bypass

Browse Source
This commit is contained in:
@
2020-09-22 16:08:08 -05:00
parent 07a639293f
commit f43c63475d
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
DefenseEvasion.md
+6
View File
@@ -26,6 +26,12 @@ Detection of UAC bypass through tampering with Shell Open for .ms-settings or .m
SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command"
```
To further UAC bypass detection, the below query will detect CMSTPLUA COM interface abuse by GUID and can be combined with the above. See [Security-in-bits](https://www.securityinbits.com/malware-analysis/uac-bypass-analysis-stage-1-ataware-ransomware-part-2/#footnote) for more.
```
TgtProcDisplayName = "COM Surrogate" AND TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
```
### T1218.003 CMSTP
Atomics: [T1218.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md)