Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-11 02:11:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cleaned up signature descriptions and metadata.

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-05 21:45:38 -06:00
parent 08e20670ee
commit 4d6ac236bc
59 changed files with 284 additions and 285 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/inhibit_system_recovery.yml
+5 -4
View File
@@ -3,16 +3,17 @@ description: Detects the use of vssadmin, wbadmin, bcdedit and powershell deleti
of shadowcopy content and disabling of system recovery.
author: keyboardcrunch
date: 10/10/2020
modified: null
modified: 05/12/2020
mitre:
tactic: Impact
technique: T1490
subtechnique: null
subtechnique:
operating_system: windows
query: TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete
catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy"
AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy"
AND SrcProcCmdScript ContainsCIS "Delete()")
false_positives: null
tags: null
false_positives:
- Manual backup or recovery through shadowcopy
tags: