Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-11 02:11:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cleaned up signature descriptions and metadata.

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-05 21:45:38 -06:00
parent 08e20670ee
commit 4d6ac236bc
59 changed files with 284 additions and 285 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/rundll32_possible_cobalt_strike.yml
+2 -1
View File
@@ -2,7 +2,7 @@ title: Rundll32 Possible Cobalt Strike
description: Loose detection of lateral movement through SMB, commonly used with Cobalt Strike.
author: keyboardcrunch
date: 02/12/2020
modified:
modified: 05/12/2020
mitre:
tactic: Defense Evasion
technique: T1218
@@ -11,6 +11,7 @@ operating_system:
query: ( SrcProcName In AnyCase ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In ( "splwow64.exe" ) AND SrcProcParentName Not In ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
false_positives:
- Printer drivers
- High number of outbound SMB connections
tags:
- Cobalt Strike
references: