Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6a228d23eefe963ca81f2d52f94b815f61ef5ee0
keyboardcrunch-sentinelone-…/Tactics/Exfiltration.md
T
@ b531c3e775 Putting wrap on Exfil queries for now
2020-09-27 12:22:16 -05:00

773 B
Raw Blame History

Exfiltration

There are a number of ways to use current supported indicators to detect data exfiltration, some with higher accuracy than others. Detection by command lines can have environmental noise, detection based on network connection indicators may require lost of custom filtering as well. Exfiltration queries need to be expanded, but for now I've limited them to the Atomic Red Team tests that can be detected.

T1020 Automated Exfiltration

Atomics: T1020

Detection of powershell data POST and PUT with Invoke-WebRequest.

SrcProcCmdLine ContainsCIS "Invoke-WebRequest" AND (SrcProcCmdLine ContainsCIS "-Method Put" OR SrcProcCmdLine ContainsCIS "-Method Post")
Reference in New Issue View Git Blame Copy Permalink