mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-09 01:17:18 +00:00
@
23 lines
1.1 KiB
YAML
23 lines
1.1 KiB
YAML
title: Account Manipulation
|
|
description: Both Atomic tests for account manipulation rely on PowerShell AD module,
|
|
so we can catch both with one query. We have the query encapsulated so that we can
|
|
filter it at the end by Parent Process, as some Logon Scripts and Configuration
|
|
Items (SCOM, SCCM) may also cause noise. You may want to additionally filter out
|
|
certain SrcProcUser to reduce noise. What cannot be helped, CommandScript detection
|
|
on import of Powershell AD cmdlets.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: null
|
|
mitre:
|
|
tactic: Persistence
|
|
technique: T1098
|
|
subtechnique: null
|
|
operating_system: windows
|
|
query: ( SrcProcCmdLine In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
|
|
OR SrcProcCmdScript In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
|
|
OR SrcProcCmdLine RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" OR SrcProcCmdScript
|
|
RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" ) AND SrcProcParentName Not In
|
|
("WmiPrvSE.exe","AppVClient.exe","svchost.exe","CompatTelRunner.exe")
|
|
false_positives: null
|
|
tags: null
|