Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-09 09:27:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cleaned up signature descriptions and metadata.

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-05 21:45:38 -06:00
parent 08e20670ee
commit 4d6ac236bc
59 changed files with 284 additions and 285 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/allow_executable_through_defender_firewall.yml
+5 -4
View File
@@ -1,8 +1,8 @@
title: Allow Executable Through Defender Firewall
author: keyboardcrunch
description: Detect allowance of executables through Defender Firewall.
description: Detect allowance of executables within Users or Temp folders through Defender Firewall.
date: 10/10/2020
modified: null
modified: 05/12/2020
mitre:
tactic: Defense Evasion
technique: T1562
@@ -10,6 +10,7 @@ mitre:
operating_system: windows
query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
ContainsCIS "program=" AND TgtProcCmdLine In Contains Anycase ("C:\Users","C:\Windows\Temp")
false_positives: null
tags: null
false_positives:
tags:
references: