Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bc3557a4ea4b62ca4e3bd1afe174de64e0dd6644
keyboardcrunch-sentinelone-…/queries/windows/process_injection.yml
T
keyboardcrunch bc3557a4ea removed tactic from titles
2020-12-06 00:34:46 -06:00

19 lines
628 B
YAML
Raw Blame History

title: Process Injection
description: Detects Process Injection through execution of MavInject, filtering out
noisy/expected activity. SrcProcParentName filter narrows Cross Process items to
refine results.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
tactic: Defense Evasion, Privilege Escalation
technique: T1055
subtechnique:
operating_system: windows
query: (TgtProcName = "mavinject.exe" AND TgtProcCmdLine ContainsCIS "/injectrunning")
AND (SrcProcName Not In ("AppVClient.exe") AND SrcProcParentName Not In ("smss.exe"))
false_positives:
- Legitimate usage of MavInject
tags:
Reference in New Issue View Git Blame Copy Permalink