Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5ca86bf47e868d42ae2f97bf11d91d26d98aac4
keyboardcrunch-sentinelone-…/Tactics/Impact.md
T
@ d5ca86bf47 Added T1490
2020-09-27 12:02:04 -05:00

1.9 KiB
Raw Blame History

Impact

T1531 Account Access Removal

Atomics: T1531

Detects the deletion of a local user account or removal of Active Directory groups through powershell cmdlets. No detection for account password resets for purpose of impact due to false detections.

SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR TgtProcCmdLine  ContainsCIS "Remove-ADGroupMember" OR SrcProcCmdScript ContainsCIS "Remove-ADGroupMember"

T1485 Data Destruction

Atomics: T1485

Detection of SDelete (by display name) and execution of DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with FileType for filtering.

(AgentOS In ("linux","osx") AND TgtProcName = "dd" AND TgtProcCmdLine ContainsCIS "of=") OR TgtProcDisplayName = "Secure file delete"

T1490 Inhibit System Recovery

Atomics: T1490

Detects the use of vssadmin, wbadmin, bcdedit and powershell deletion of shadowcopy content and disabling of system recovery.

TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy" AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy" AND SrcProcCmdScript ContainsCIS "Delete()")

T1489 Service Stop

Atomics: T1489

T1529 System Shutdown/Reboot

Atomics: T1529

Reference in New Issue View Git Blame Copy Permalink