Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 09:05:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixed missing os

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-06 00:58:24 -06:00
parent bc3557a4ea
commit a7503f04a6
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/rundll32_possible_cobalt_strike.yml
+1 -1
View File
@@ -7,7 +7,7 @@ mitre:
tactic: Defense Evasion
technique: T1218
subtechnique: 011
operating_system:
operating_system: windows
query: ( SrcProcName In AnyCase ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In ( "splwow64.exe" ) AND SrcProcParentName Not In ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
false_positives:
- Printer drivers