Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-10 18:01:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

removed tactic from titles

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-06 00:34:46 -06:00
parent 4d6ac236bc
commit bc3557a4ea
5 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/bypass_user_access_control.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: T1548.002 Bypass User Access Control title: Bypass User Access Control
description: Detection of UAC bypass through tampering with Shell Open for .ms-settings description: Detection of UAC bypass through tampering with Shell Open for .ms-settings
or .msc file types. Also includes detection for CMSTPLUA COM interface abuse by GUID. or .msc file types. Also includes detection for CMSTPLUA COM interface abuse by GUID.
author: keyboardcrunch author: keyboardcrunch
@@ -7,7 +7,7 @@ modified: 05/12/2020
mitre: mitre:
tactic: Defense Evasion, Privilege Escalation tactic: Defense Evasion, Privilege Escalation
technique: T1548 technique: T1548
subtechnique: 008 subtechnique: 002
operating_system: windows operating_system: windows
query: (SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine query: (SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine
ContainsCIS "mscfile\shell\open\command") OR (TgtProcDisplayName = "COM Surrogate" ContainsCIS "mscfile\shell\open\command") OR (TgtProcDisplayName = "COM Surrogate"
queries/windows/disable_microsoft_office_security_features.yml
+1 -1
View File
@@ -1,4 +1,4 @@
title: T1562.001 Disable Microsoft Office Security Features title: Disable Microsoft Office Security Features
description: Detects disabling of Microsoft Office Security features. description: Detects disabling of Microsoft Office Security features.
author: keyboardcrunch author: keyboardcrunch
date: 10/10/2020 date: 10/10/2020
queries/windows/findstr_password_extraction.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: T1552.001 Findstr Password Extraction title: Findstr Password Extraction
description: Detection of content exfiltration of passwords within files using findstr.exe description: Detection of content exfiltration of passwords within files using findstr.exe
or PowerShell's findstr. or PowerShell's findstr.
author: keyboardcrunch author: keyboardcrunch
@@ -7,7 +7,7 @@ modified: null
mitre: mitre:
tactic: Credential Access tactic: Credential Access
technique: T1552 technique: T1552
subtechnique: 006 subtechnique: 001
operating_system: windows operating_system: windows
query: TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern query: TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern
password" password"
queries/windows/lsa_secrets.yml → queries/windows/lsa_secrets_extraction.yml
+1 -1
View File
@@ -1,4 +1,4 @@
title: T1003.004 LSA Secrets title: LSA Secrets Extraction
description: Detect direct LSA extraction with reg.exe. description: Detect direct LSA extraction with reg.exe.
author: keyboardcrunch author: keyboardcrunch
date: 10/10/2020 date: 10/10/2020
queries/windows/process_injection.yml
+1 -1
View File
@@ -1,4 +1,4 @@
title: T1055 Process Injection title: Process Injection
description: Detects Process Injection through execution of MavInject, filtering out description: Detects Process Injection through execution of MavInject, filtering out
noisy/expected activity. SrcProcParentName filter narrows Cross Process items to noisy/expected activity. SrcProcParentName filter narrows Cross Process items to
refine results. refine results.