Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
40b378a6e3efcd5d633564f1080f403f1f01b831
keyboardcrunch-sentinelone-…/Tactics/Impact.md
T
@ 40b378a6e3 updated T1485
2020-09-27 11:52:51 -05:00

1.3 KiB
Raw Blame History

Impact

T1531 Account Access Removal

Atomics: T1531

Detects the deletion of a local user account or removal of Active Directory groups through powershell cmdlets. No detection for account password resets for purpose of impact due to false detections.

SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR TgtProcCmdLine  ContainsCIS "Remove-ADGroupMember" OR SrcProcCmdScript ContainsCIS "Remove-ADGroupMember"

T1485 Data Destruction

Atomics: T1485

Detection of SDelete (by display name) and execution of DD command on *nix operating systems.

(AgentOS In ("linux","osx") AND TgtProcName = "dd" AND TgtProcCmdLine ContainsCIS "of=") OR TgtProcDisplayName = "Secure file delete"

T1490 Inhibit System Recovery

Atomics: T1490

T1489 Service Stop

Atomics: T1489

T1529 System Shutdown/Reboot

Atomics: T1529

Reference in New Issue View Git Blame Copy Permalink