Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-11 02:11:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

auto-generated queries from markdown notes

Browse Source
This commit is contained in:
@
2020-11-23 12:08:31 -06:00
parent a3c07c2199
commit 7c09d914d1
85 changed files with 1414 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/non_windows_control_panel_item.yml
+19
View File
@@ -0,0 +1,19 @@
title: Non-Windows Control Panel Item
description: The below query will find all cpl files outside standard directories
and all cpl files executed outside of Windows directories. First portion of query
may need to be dropped if there's too much noise in your environment.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
tactic: Defense Evasion
technique: T1218
subtechnique: 002
operating_system: windows
query: (TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows"
AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not
ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine
ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows")
false_positives: null
tags: null