Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-09 17:37:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4d4b09a627a9dce7e854ef93095b35e72cf3d7cb
keyboardcrunch-sentinelone-…/queries/windows/startup_shortcuts.yml
T
keyboardcrunch 4d6ac236bc Cleaned up signature descriptions and metadata.
2020-12-05 21:45:38 -06:00

18 lines
549 B
YAML
Raw Blame History

title: Startup Shortcuts
description: Detection .lnk or .url files written to Startup folders.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
tactic: Privilege Escalation, Persistence
technique: T1547
subtechnique: 009
operating_system: windows
query: (FileFullName ContainsCIS "Microsoft\Windows\Start Menu\Programs\Startup" AND
TgtFileExtension In Contains ("lnk","url") AND EventType = "File Creation") AND
SrcProcName Not In ("ONENOTE.EXE","msiexec.exe")
false_positives:
- Some application installs.
tags: null
Reference in New Issue View Git Blame Copy Permalink