mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
keyboardcrunch
20 lines
758 B
YAML
20 lines
758 B
YAML
title: Non-Windows Control Panel Item
|
|
description: Detect cpl files outside standard Windows directories. First portion
|
|
of query may need to be dropped if there is too much noise in your environment.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Defense Evasion
|
|
technique: T1218
|
|
subtechnique: 002
|
|
operating_system: windows
|
|
query: (TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows"
|
|
AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not
|
|
ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine
|
|
ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows")
|
|
false_positives:
|
|
- Applications bringing their own cpl files
|
|
tags:
|
|
|