keyboardcrunch-sentinelone-attack-queries/queries.md

T1053.002 AT Scheduled Task

Atomics: T1053.002

Detect interactive process execution scheduled by AT command.

TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive "

T1546.008 Accessibility Features

Atomics: T1546.008

Detections addition of a debugger process to executables using Image File Execution Options.

(RegistryKeyPath ContainsCIS "CurrentVersion\Image File Execution Options" AND RegistryKeyPath ContainsCIS ".exe\Debugger") AND (EventType = "Registry Value Create" OR EventType = "Registry Key Create")

T1546 Application Shimming

Atomics: T1546.010 , T1546.011

Detects application shimming through sdbinst or registry modification.

--- T1546 Application Shimming
(SrcProcName = "sdbinst.exe" and ProcessCmd ContainsCIS ".sdb") OR ((RegistryKeyPath ContainsCIS "AppInit_DLLs" OR RegistryPath  ContainsCIS "AppCompatFlags") AND (EventType = "Registry Value Create" OR EventType = "Registry Value Modified"))

T1548.002 Bypass User Access Control

Atomics: T1548.002

Detection of UAC bypass through tampering with Shell Open for .ms-settings or .msc file types. Noted issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key paths wer ControlSet001\Service\bam\State\UserSettings\GUID\...

SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command"

T1574.012 COR Profiler

Atomics: T1574.012

Detection of unmanaged COR profiler hooking of .NET CLR through registry or process command.

(SrcProcCmdScript Contains "COR_" AND SrcProcCmdScript Contains "\Environment") OR RegistryKeyPath Contains "COR_PROFILER_PATH" OR SrcProcCmdScript Contains "$env:COR_"