Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e1fdca6dfa7a9b6ab526e0b4926d1c5a260afd7b
keyboardcrunch-sentinelone-…/queries/windows/cmstp_signed_binary_proxy_execution.yml
T
keyboardcrunch e1fdca6dfa changed to arg detection vs file detection
2021-06-08 14:07:33 -05:00

15 lines
378 B
YAML
Raw Blame History

title: CMSTP Signed Binary Proxy Execution
description: Detect execution through CMSTP installations with INF files.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
tactic: Defense Evasion
technique: T1218
subtechnique: 003
operating_system: windows
query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine ContainsCIS "/ni /s"
false_positives:
tags:
Reference in New Issue View Git Blame Copy Permalink