Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create solarwinds_process_disabling_services.yml

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-18 13:43:31 -06:00
committed by GitHub
parent fa5b44c390
commit 710d621de0
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/apt/solarwinds_process_disabling_services.yml
+18
View File
@@ -0,0 +1,18 @@
title: SolarWinds Process Disabling Services
description: Detect the modification of service start type by SolarWinds processes.
author: keyboardcrunch
date: 18/12/2020
modified:
mitre:
tactic: Defense Evasion
technique: T1562
subtechnique: 001
operating_system: windows
query: (RegistryKeyPath RegExp "\bMACHINE\\SYSTEM\\.*ControlSet.*\\Services\\.*\\Start" AND EventType = "Registry Value Modified") AND SrcProcName RegExp "(.*\.)?((SolarWinds.BusinessLayerHost.*|ConfigurationWizard.*|NetflowDatabasemaintenance.*|NetFlowService.*|SolarWinds.Administration.*|SolarWinds.Collector.Service.*|SolarwindsDiagnostics.*).exe)"
false_positives:
tags:
- UNC2452
- DarkHalo
- SolarWinds
references:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html