Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
1ee7efa88aa8c99749d929dd49440ded36fe09ec
keyboardcrunch-sentinelone-…/Tactics/CredentialAccess.md
T
@ 1ee7efa88a T1552.002 Credentials in Registry
2020-10-23 15:13:38 -05:00

4.3 KiB
Raw Blame History

Credential Access

T1056.004 Credential API Hooking

Atomics: T1056.004

The weight of this test relies on injecting a dll with mavinject that hooks into powershell to do the TLS decryption, our detection for T1055 Mavinject would cover us for these tests.

T1552.001 Credentials In Files

Atomics: T1552.001

Test #1 - LaZagne

LaZagne happens to spawn 3 cmd shells to save security, system and sam RegKeys, and the standard compiled release from github will have the original name artifact of lazagne.exe.manifest within the %temp%_MEI?????\lazagne.exe.manifest location. TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"

Test #3 - findstr password extraction

TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern password"

T1555.003 Credentials from Web Browsers

Atomics: T1555.003

Test #1 - Modified SysInternals AccessChk Chrome password collector

To focus on detection, we're looking for AccessChk.exe where the DisplayName does not match that of the original. There's 4X as many Cross_Process objects with this query but none detect the collection of the Chrome password db.

TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective permissions for securable objects"

T1552.002 Credentials in Registry

Atomics: T1552.002

This query detects enumeration and discovery of credentials within the Registry, including Putty sessions.

TgtProcCmdline ContainsCIS "query HKLM /f password /t REG_SZ /s" OR TgtProcCmdline ContainsCIS "query HKCU /f password /t REG_SZ /s" OR TgtProcCmdline ContainsCIS "query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s"

T1056.002 GUI Input Capture

Atomics: T1056.002

T1552.006 Group Policy Preferences

Atomics: T1552.006

T1558.003 Kerberoasting

Atomics: T1558.003

T1056.001 Keylogging

Atomics: T1056.001

T1003.004 LSA Secrets

Atomics: T1003.004

T1003.001 LSASS Memory

Atomics: T1003.001

T1003.003 NTDS

Atomics: T1003.003

T1040 Network Sniffing

Atomics: T1040

T1003 OS Credential Dumping

Atomics: T1003

T1110.002 Password Cracking

Atomics: T1110.002

T1556.002 Password Filter DLL

Atomics: T1556.002

T1110.001 Password Guessing

Atomics: T1110.001

T1110.003 Password Spraying

Atomics: T1110.003

T1552.004 Private Keys

Atomics: T1552.004

T1003.002 Security Account Manager

Atomics: T1003.002

Reference in New Issue View Git Blame Copy Permalink