Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2f1a7813d3df9efb60430ccac3aff6946f4f8717
keyboardcrunch-sentinelone-…/Execution.md
T
@ 2f1a7813d3 updated queries
2020-09-17 19:34:17 -05:00

2.4 KiB
Raw Blame History

Execution

T1053.002 AT Scheduled Task

Atomics: T1053.002

Detect interactive process execution scheduled by AT command.

TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive "

T1559.002 Dynamic Data Exchange

Atomics: T1559.002

T1204.002 Malicious Documents

Atomics: T1204.002

The tests for this technique overlap heavily with T1566.001 Spearphishing Attachment due to similar download and macro detections, so here we're focusing on detecting Office applications launching processes. The below query will cover tests 1, 3 and 4 but test #2 is standalone cscript execution and will be detected with other queries.

(SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe")) OR IndicatorName = "SuspiciousDocument"

T1106 Native API

Atomics: T1106

T1059.001 PowerShell

Atomics: T1059.001

T1053.005 Scheduled Task

Atomics: T1053.005

T1569.002 Service Execution

Atomics: T1569.002

T1059.005 Visual Basic

Atomics: T1059.005

T1059.003 Windows Command Shell

Atomics: T1059.003

T1047 Windows Management Instrumentation

Atomics: T1047

Reference in New Issue View Git Blame Copy Permalink