Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cleaned up signature descriptions and metadata.

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-05 21:45:38 -06:00
parent 08e20670ee
commit 4d6ac236bc
59 changed files with 284 additions and 285 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/process_injection.yml
+6 -5
View File
@@ -1,17 +1,18 @@
title: T1055 Process Injection
description: Detects Process Injection through execution of MavInject, filtering out
noisy/expected activity. SrcProcParentName filter narrows Cross Process items to
HQ results.
refine results.
author: keyboardcrunch
date: 10/10/2020
modified: null
modified: 05/12/2020
mitre:
tactic: Defense Evasion, Privilege Escalation
technique: T1055
subtechnique: null
subtechnique:
operating_system: windows
query: (TgtProcName = "mavinject.exe" AND TgtProcCmdLine ContainsCIS "/injectrunning")
AND (SrcProcName Not In ("AppVClient.exe") AND SrcProcParentName Not In ("smss.exe"))
false_positives: null
tags: null
false_positives:
- Legitimate usage of MavInject
tags: