Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2b11a2768b806b05d26e8ba8617705847f35f574
keyboardcrunch-sentinelone-…/queries.md
T
keyboardcrunch 2b11a2768b Added T1546.007 netsh helper dll
2020-09-15 15:44:50 -05:00

5.9 KiB
Raw Blame History

Windows Atomic Tests by ATT&CK Tactic & Technique

Privilege Escalation

T1053.002 AT Scheduled Task

Atomics: T1053.002

Detect interactive process execution scheduled by AT command.

TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive "

T1546.008 Accessibility Features

Atomics: T1546.008

Detections addition of a debugger process to executables using Image File Execution Options.

(RegistryKeyPath ContainsCIS "CurrentVersion\Image File Execution Options" AND RegistryKeyPath ContainsCIS ".exe\Debugger") AND (EventType = "Registry Value Create" OR EventType = "Registry Key Create")

T1546 Application Shimming

Atomics: T1546.010 , T1546.011

Detects application shimming through sdbinst or registry modification.

(SrcProcName = "sdbinst.exe" and ProcessCmd ContainsCIS ".sdb") OR ((RegistryKeyPath ContainsCIS "AppInit_DLLs" OR RegistryPath  ContainsCIS "AppCompatFlags") AND (EventType = "Registry Value Create" OR EventType = "Registry Value Modified"))

T1548.002 Bypass User Access Control

Atomics: T1548.002

Detection of UAC bypass through tampering with Shell Open for .ms-settings or .msc file types. Noted issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key paths wer ControlSet001\Service\bam\State\UserSettings\GUID\...

SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command"

T1574.012 COR Profiler

Atomics: T1574.012

Detection of unmanaged COR profiler hooking of .NET CLR through registry or process command.

(SrcProcCmdScript Contains "COR_" AND SrcProcCmdScript Contains "\Environment") OR RegistryKeyPath Contains "COR_PROFILER_PATH" OR SrcProcCmdScript Contains "$env:COR_"

T1546.001 Change Default File Association

Atomics: 1546.001

Detection of file association changes. Detection by registry is noisy due to problem filtering on registry root, so install/uninstall apps create noise.

--- File assoc change by registry
RegistryKeyPath In Contains Anycase ( "\shell\open\command" , "\shell\print\command" , "\shell\printto\command" ) AND EventType In ( "Registry Value Create" , "Registry Value Modified" )

Recommended (for now)

--- File assoc change by assoc command
TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"

T1574.001 DLL Search Order Hijacking

Atomics: T1574.001

Detection of DLL search order hijack for AMSI bypass. Search order bypasses can target more than AMSI, so this can be expanded upon greatly by switching the ContainsCIS to In Contains Anycase(dll list).

(FileFullName ContainsCIS "amsi.dll" AND FileFullName Does Not ContainCIS "System32") AND EventType = "File Creation"

T1574.002 DLL Side-Loading of Notepad++ GUP.exe

Atomics: T1574.002

Detection for GUP.exe side-loading a dll, where executable has a display name of "WinGup for Notepad++" and has non-standard source process. Keep an eye on Cross Process events or add AND EventType = "Open Remote Process Handle" to the query to narrow down target (child) process.

TgtProcDisplayName ContainsCIS "WinGup" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe")

T1078.001 Enable Guest account with RDP and Admin

Atomics: T1078.001

Detects enabling of Guest account, adding Guest account to groups, as well as changing of Deny/Allow of Terminal Server connections through Registry changes.

(SrcProcCmdLine ContainsCIS "net localgroup" AND SrcProcCmdLine ContainsCIS "guest /add") OR (SrcProcCmdLine ContainsCIS "net user" AND SrcProcCmdLine ContainsCIS "/active:yes") OR (RegistryKeyPath In Contains ("Terminal Server\AllowTSConnections","Terminal Server\DenyTSConnections") AND EventType In ("Registry Value Create","Registry Value Modified"))

T1546.012 Image File Execution Options Injection

Atomics: T1546.012

Detection of Image File Execution Options tampering for persistence through Registry monitoring.

RegistryKeyPath In Contains Anycase ("CurrentVersion\Image File Execution Options","CurrentVersion\SilentProcessExit") AND RegistryKeyPath In Contains Anycase ("GlobalFlag","ReportingMode","MonitorProcess")

T1037.001 Logon Scripts (Windows)

Atomics: T1037.001

Detects addition of logon scripts through command line or registry methods.

SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS "UserInitMprLogonScript" AND EventType = "Registry Value Create")

T1546.007 Netsh Helper DLL

Atomics: T1546.007

Detection of "helper" dlls with network command shell, through command arguments or registry modification.

(TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add helper") OR (RegistryPath ContainsCIS "SOFTWARE\Microsoft\NetSh" AND EventType = "Registry Value Create")
Reference in New Issue View Git Blame Copy Permalink