Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
23e97ac3c4c98b33a5153a1b638d4e8cdf042bc8
keyboardcrunch-sentinelone-…/LateralMovement.md
T
@ 23e97ac3c4 T1021.001 Scripted Lateral RDP
2020-09-27 09:52:42 -05:00

1.4 KiB
Raw Blame History

Lateral Movement

T1550.002 Pass the Hash

Atomics: T1550.002

T1550.003 Pass the Ticket

Atomics: T1550.003

T1563.002 RDP Hijacking

Atomics: T1563.002

Detects RDS and RemoteApp session redirections for lateral movement.

SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"

T1021.001 Remote Desktop Protocol

Atomics: T1021.001

Below query will catch both Atomic tests because it focuses on detecting the use of cmdkey for authenticating RDP sessions (often used for automated lateral movement).

TgtProcName = "cmdkey.exe" AND TgtProcCmdLine ContainsCIS "/generic:TERMSRV" AND TgtProcCmdLine ContainsCIS "/user:" AND TgtProcCmdLine ContainsCIS "/pass:"

T1021.002 SMB/Windows Admin Shares

Atomics: T1021.002

T1021.006 Windows Remote Management

Atomics: T1021.006

Reference in New Issue View Git Blame Copy Permalink