Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
166e451cf65054d5cb8aa5e6cba22915b98866a1
keyboardcrunch-sentinelone-…/queries/windows/account_manipulation.yml
T
keyboardcrunch 4d6ac236bc Cleaned up signature descriptions and metadata.
2020-12-05 21:45:38 -06:00

21 lines
889 B
YAML
Raw Blame History

title: Account Manipulation
description: Detect account manipulation with the PowerShell AD module, filtered by Parent Process, as some Logon Scripts and Configuration Items (SCOM, SCCM) may also cause noise.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
tactic: Persistence
technique: T1098
subtechnique:
operating_system: windows
query: ( SrcProcCmdLine In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
OR SrcProcCmdScript In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
OR SrcProcCmdLine RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" OR SrcProcCmdScript
RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" ) AND SrcProcParentName Not In
("WmiPrvSE.exe","AppVClient.exe","svchost.exe","CompatTelRunner.exe")
false_positives:
- logon scripts
- Configuration Manager CI/BL Items
tags:
references:
Reference in New Issue View Git Blame Copy Permalink