Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-11 02:11:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cleaned up signature descriptions and metadata.

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-05 21:45:38 -06:00
parent 08e20670ee
commit 4d6ac236bc
59 changed files with 284 additions and 285 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/msiexec_remote_msi.yml
+8 -8
View File
@@ -1,12 +1,11 @@
title: Msiexec Remote MSI
description: The below query will accurately detect execution of remote msi files
by msiexec.exe. The second half of the query aims to detect processes spawned by
msi files instead of dll files in the CommandLine (as that is very noisy) and may
return a bit of noise within for the CrossProcess Object as some auto-update processes
may be collected by this query.
description: Detect execution of remote msi files by msiexec.exe. The second
half of the query aims to detect processes spawned by msi files instead of dll files
in the CommandLine (as that is very noisy) and may return a bit of noise within
for the CrossProcess Object as some auto-update processes may be collected by this query.
author: keyboardcrunch
date: 10/10/2020
modified: null
modified: 05/12/2020
mitre:
tactic: Defense Evasion
technique: T1218
@@ -15,6 +14,7 @@ operating_system: windows
query: ( SrcProcName = "msiexec.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)"
) OR (SrcProcName RegExp "^.*\.(tmp)" AND EventType = "Open Remote Process Handle"
AND SrcProcParentName = "msiexec.exe")
false_positives: null
tags: null
false_positives:
- Auto-update processes
tags: