Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
50959302ed15e36a6989f74b535fe95921db2fb6
keyboardcrunch-sentinelone-…/queries/windows/application_shimming.yml
T

16 lines
573 B
YAML
Raw Blame History

title: Application Shimming
description: Detects application shimming through sdbinst or registry modification.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
tactic: Privilege Escalation, Persistence
technique: T1546
subtechnique: 008
operating_system: windows
query: (SrcProcName = "sdbinst.exe" and ProcessCmd ContainsCIS ".sdb") OR ((RegistryKeyPath
ContainsCIS "AppInit_DLLs" OR RegistryPath ContainsCIS "AppCompatFlags") AND (EventType
= "Registry Value Create" OR EventType = "Registry Value Modified"))
false_positives: null
tags: null
Reference in New Issue View Git Blame Copy Permalink