Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e4aae047651c10e6123463ca18906ed61b93736a
keyboardcrunch-sentinelone-…/queries/windows/process_injection.yml
T

18 lines
601 B
YAML
Raw Blame History

title: T1055 Process Injection
description: Detects Process Injection through execution of MavInject, filtering out
noisy/expected activity. SrcProcParentName filter narrows Cross Process items to
HQ results.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
tactic: Defense Evasion, Privilege Escalation
technique: T1055
subtechnique: null
operating_system: windows
query: (TgtProcName = "mavinject.exe" AND TgtProcCmdLine ContainsCIS "/injectrunning")
AND (SrcProcName Not In ("AppVClient.exe") AND SrcProcParentName Not In ("smss.exe"))
false_positives: null
tags: null
Reference in New Issue View Git Blame Copy Permalink