Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
keyboardcrunch-sentinelone-…/queries/apt/solarwinds_process_disabling_services.yml
T
keyboardcrunch 710d621de0 Create solarwinds_process_disabling_services.yml
2020-12-18 13:43:31 -06:00

19 lines
861 B
YAML
Raw Permalink Blame History

title: SolarWinds Process Disabling Services
description: Detect the modification of service start type by SolarWinds processes.
author: keyboardcrunch
date: 18/12/2020
modified:
mitre:
tactic: Defense Evasion
technique: T1562
subtechnique: 001
operating_system: windows
query: (RegistryKeyPath RegExp "\bMACHINE\\SYSTEM\\.*ControlSet.*\\Services\\.*\\Start" AND EventType = "Registry Value Modified") AND SrcProcName RegExp "(.*\.)?((SolarWinds.BusinessLayerHost.*|ConfigurationWizard.*|NetflowDatabasemaintenance.*|NetFlowService.*|SolarWinds.Administration.*|SolarWinds.Collector.Service.*|SolarwindsDiagnostics.*).exe)"
false_positives:
tags:
- UNC2452
- DarkHalo
- SolarWinds
references:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Reference in New Issue View Git Blame Copy Permalink