mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-09 09:27:16 +00:00
@
19 lines
725 B
YAML
19 lines
725 B
YAML
title: Winlogon Helper DLL
|
|
description: Detects Winlogon Helper Dll changes through Registry MetadataIndicator
|
|
item, as it holds the full registry change info but will only return data of the
|
|
Indicators object type.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: null
|
|
mitre:
|
|
tactic: Privilege Escalation, Persistence
|
|
technique: T1547
|
|
subtechnique: 004
|
|
operating_system: windows
|
|
query: IndicatorMetadata In Contains Anycase ("Microsoft\Windows NT\CurrentVersion\Winlogon","Microsoft\Windows
|
|
NT\CurrentVersion\Winlogon\Notify") AND IndicatorMetadata In Contains Anycase ("logon","Userinit","Shell")
|
|
AND IndicatorMetadata Does Not ContainCIS "WINDOWS\system32\userinit.exe"
|
|
false_positives: null
|
|
tags: null
|
|
|