Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4d6ac236bc25e4c6ee84460064c5b8cfe3bbe94f
keyboardcrunch-sentinelone-…/queries/windows/process_injection.yml
T
keyboardcrunch 4d6ac236bc Cleaned up signature descriptions and metadata.
2020-12-05 21:45:38 -06:00

19 lines
634 B
YAML
Raw Blame History

title: T1055 Process Injection
description: Detects Process Injection through execution of MavInject, filtering out
noisy/expected activity. SrcProcParentName filter narrows Cross Process items to
refine results.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
tactic: Defense Evasion, Privilege Escalation
technique: T1055
subtechnique:
operating_system: windows
query: (TgtProcName = "mavinject.exe" AND TgtProcCmdLine ContainsCIS "/injectrunning")
AND (SrcProcName Not In ("AppVClient.exe") AND SrcProcParentName Not In ("smss.exe"))
false_positives:
- Legitimate usage of MavInject
tags:
Reference in New Issue View Git Blame Copy Permalink