Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-09 01:27:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5e824edf8b5a470b73dba84b33a7efc28c0b336f
keyboardcrunch-sentinelone-…/LateralMovement.md
T
@ 5e824edf8b T1550 PtH and PtT
2020-09-27 10:00:25 -05:00

1.6 KiB
Raw Blame History

Lateral Movement

T1550 Pass the Hash & Pass the Ticket

Atomics: T1550.002, T1550.003

Here we're focusing on detecting command line arguments of Mimikatz, so binary and powershell mimikatz will be detected assuming arguments haven't been modified before deployment.

TgtProcCmdLine In Contains Anycase ("sekurlsa::pth","/ntlm:","kerberos::ptt")

T1563.002 RDP Hijacking

Atomics: T1563.002

Detects RDS and RemoteApp session redirections for lateral movement.

SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"

T1021.001 Scripted Lateral RDP

Atomics: T1021.001

Below query will catch both Atomic tests because it focuses on detecting the use of cmdkey for authenticating RDP sessions (often used for automated lateral movement).

TgtProcName = "cmdkey.exe" AND TgtProcCmdLine ContainsCIS "/generic:TERMSRV" AND TgtProcCmdLine ContainsCIS "/user:" AND TgtProcCmdLine ContainsCIS "/pass:"

T1021.002 SMB/Windows Admin Shares

Atomics: T1021.002

T1021.006 Windows Remote Management

Atomics: T1021.006

Reference in New Issue View Git Blame Copy Permalink