├── .gitignore ├── LICENSE ├── README.md ├── queries ├── apt │ ├── solarwinds_process_disabling_services.yml │ └── sunburst_campaign.yml ├── linux │ ├── dd_data_destruction.yml │ ├── linux_firewall_disabled.yml │ ├── local_account_added_nix.yml │ ├── nix_network_sniffing.yml │ └── syslog_disabled.yml └── windows │ ├── PrintNightmare.yml │ ├── account_access_removal.yml │ ├── account_manipulation.yml │ ├── allow_executable_through_defender_firewall.yml │ ├── allow_smb_and_rdp_on_defender_firewall.yml │ ├── amsi_bypass_initfailed.yml │ ├── application_shimming.yml │ ├── assoc_default_file_change.yml │ ├── at_scheduled_task.yml │ ├── batchfile_execution_from_temp.yml │ ├── bits_jobs.yml │ ├── browser_extension_installation.yml │ ├── bypass_user_access_control.yml │ ├── change_shell_open_regkeys.yml │ ├── clear_windows_event_logs.yml │ ├── cmstp_signed_binary_proxy_execution.yml │ ├── compiled_html_file.yml │ ├── cor_profiler.yml │ ├── csc_compile_after_delivery.yml │ ├── deobfuscate_or_decode_files.yml │ ├── disable_defender_firewall.yml │ ├── disable_iis_logging.yml │ ├── disable_microsoft_office_security_features.yml │ ├── disable_or_modify_service_execution.yml │ ├── disable_sysmon.yml │ ├── dll_search_order_hijacking.yml │ ├── dll_sideloading_of_npp_gup.yml │ ├── edge_or_ie_cred_extraction_w_pwsh.yml │ ├── enable_guest_account_with_rdp_and_admin.yml │ ├── exchange_transport_agent_cmdlet_use.yml │ ├── findstr_password_extraction.yml │ ├── group_policy_preference_extraction.yml │ ├── image_file_execution_debugger.yml │ ├── image_file_execution_options_injection.yml │ ├── inhibit_system_recovery.yml │ ├── invoke-maldoc.yml │ ├── kerberoasting.yml │ ├── kill_eventlog_service_threads.yml │ ├── lazagne_password_theft.yml │ ├── local_account_added_windows.yml │ ├── logon_scripts_windows.yml │ ├── lsa_secrets_extraction.yml │ ├── lsass_memory_dumping.yml │ ├── malicious_documents.yml │ ├── malicious_process_start_added_to_powershell_profile.yml │ ├── modified_sysinternals_accesschk.yml │ ├── modify_or_create_windows_service.yml │ ├── mshta.yml │ ├── msiexec_remote_msi.yml │ ├── netsh_helper_dll.yml │ ├── network_sniffing.yml │ ├── non_windows_control_panel_item.yml │ ├── ntds_copy.yml │ ├── open_local_port_on_defender_firewall.yml │ ├── os_credential_dumping.yml │ ├── outlook_vba_persistence.yml │ ├── parent_pid_spoofing.yml │ ├── pass_the_hash_and_pass_the_ticket.yml │ ├── powershell_download_cradles.yml │ ├── powershell_gui_input_capture.yml │ ├── powershell_http_form_submission.yml │ ├── powershell_keylogging.yml │ ├── powershell_time_stomping.yml │ ├── process_hollowing.yml │ ├── process_injection.yml │ ├── rdp_hijacking.yml │ ├── registry_credential_enumeration.yml │ ├── registry_run_keys.yml │ ├── remove_amsi_provider_reg_key.yml │ ├── rundll32_possible_cobalt_strike.yml │ ├── scheduled_tasks_creation.yml │ ├── scheduledtaskregister.yml │ ├── screensaver_change.yml │ ├── scripted_lateral_rdp.yml │ ├── secure_delete_data_destruction.yml │ ├── security_support_provider.yml │ ├── service_created.yml │ ├── service_disabled.yml │ ├── service_started.yml │ ├── startup_folder_persistence.yml │ ├── startup_shortcuts.yml │ ├── unquoted_service_path_for_program.exe.yml │ ├── vbs_execution_from_temp.yml │ ├── web_shell_creation.yml │ ├── windows_logon_scripts.yml │ ├── windows_management_instrumentation.yml │ ├── windows_management_instrumentation_event_subscription.yml │ ├── windows_remote_management_execution.yml │ ├── windows_service_creation.yml │ ├── windows_share_creation.yml │ └── winlogon_helper_dll.yml └── template.yml /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/.gitignore -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/README.md -------------------------------------------------------------------------------- /queries/apt/solarwinds_process_disabling_services.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/apt/solarwinds_process_disabling_services.yml -------------------------------------------------------------------------------- /queries/apt/sunburst_campaign.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/apt/sunburst_campaign.yml -------------------------------------------------------------------------------- /queries/linux/dd_data_destruction.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/linux/dd_data_destruction.yml -------------------------------------------------------------------------------- /queries/linux/linux_firewall_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/linux/linux_firewall_disabled.yml -------------------------------------------------------------------------------- /queries/linux/local_account_added_nix.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/linux/local_account_added_nix.yml -------------------------------------------------------------------------------- /queries/linux/nix_network_sniffing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/linux/nix_network_sniffing.yml -------------------------------------------------------------------------------- /queries/linux/syslog_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/linux/syslog_disabled.yml -------------------------------------------------------------------------------- /queries/windows/PrintNightmare.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/PrintNightmare.yml -------------------------------------------------------------------------------- /queries/windows/account_access_removal.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/account_access_removal.yml -------------------------------------------------------------------------------- /queries/windows/account_manipulation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/account_manipulation.yml -------------------------------------------------------------------------------- /queries/windows/allow_executable_through_defender_firewall.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/allow_executable_through_defender_firewall.yml -------------------------------------------------------------------------------- /queries/windows/allow_smb_and_rdp_on_defender_firewall.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/allow_smb_and_rdp_on_defender_firewall.yml -------------------------------------------------------------------------------- /queries/windows/amsi_bypass_initfailed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/amsi_bypass_initfailed.yml -------------------------------------------------------------------------------- /queries/windows/application_shimming.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/application_shimming.yml -------------------------------------------------------------------------------- /queries/windows/assoc_default_file_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/assoc_default_file_change.yml -------------------------------------------------------------------------------- /queries/windows/at_scheduled_task.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/at_scheduled_task.yml -------------------------------------------------------------------------------- /queries/windows/batchfile_execution_from_temp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/batchfile_execution_from_temp.yml -------------------------------------------------------------------------------- /queries/windows/bits_jobs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/bits_jobs.yml -------------------------------------------------------------------------------- /queries/windows/browser_extension_installation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/browser_extension_installation.yml -------------------------------------------------------------------------------- /queries/windows/bypass_user_access_control.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/bypass_user_access_control.yml -------------------------------------------------------------------------------- /queries/windows/change_shell_open_regkeys.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/change_shell_open_regkeys.yml -------------------------------------------------------------------------------- /queries/windows/clear_windows_event_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/clear_windows_event_logs.yml -------------------------------------------------------------------------------- /queries/windows/cmstp_signed_binary_proxy_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/cmstp_signed_binary_proxy_execution.yml -------------------------------------------------------------------------------- /queries/windows/compiled_html_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/compiled_html_file.yml -------------------------------------------------------------------------------- /queries/windows/cor_profiler.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/cor_profiler.yml -------------------------------------------------------------------------------- /queries/windows/csc_compile_after_delivery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/csc_compile_after_delivery.yml -------------------------------------------------------------------------------- /queries/windows/deobfuscate_or_decode_files.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/deobfuscate_or_decode_files.yml -------------------------------------------------------------------------------- /queries/windows/disable_defender_firewall.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/disable_defender_firewall.yml -------------------------------------------------------------------------------- /queries/windows/disable_iis_logging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/disable_iis_logging.yml -------------------------------------------------------------------------------- /queries/windows/disable_microsoft_office_security_features.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/disable_microsoft_office_security_features.yml -------------------------------------------------------------------------------- /queries/windows/disable_or_modify_service_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/disable_or_modify_service_execution.yml -------------------------------------------------------------------------------- /queries/windows/disable_sysmon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/disable_sysmon.yml -------------------------------------------------------------------------------- /queries/windows/dll_search_order_hijacking.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/dll_search_order_hijacking.yml -------------------------------------------------------------------------------- /queries/windows/dll_sideloading_of_npp_gup.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/dll_sideloading_of_npp_gup.yml -------------------------------------------------------------------------------- /queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml -------------------------------------------------------------------------------- /queries/windows/enable_guest_account_with_rdp_and_admin.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/enable_guest_account_with_rdp_and_admin.yml -------------------------------------------------------------------------------- /queries/windows/exchange_transport_agent_cmdlet_use.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/exchange_transport_agent_cmdlet_use.yml -------------------------------------------------------------------------------- /queries/windows/findstr_password_extraction.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/findstr_password_extraction.yml -------------------------------------------------------------------------------- /queries/windows/group_policy_preference_extraction.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/group_policy_preference_extraction.yml -------------------------------------------------------------------------------- /queries/windows/image_file_execution_debugger.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/image_file_execution_debugger.yml -------------------------------------------------------------------------------- /queries/windows/image_file_execution_options_injection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/image_file_execution_options_injection.yml -------------------------------------------------------------------------------- /queries/windows/inhibit_system_recovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/inhibit_system_recovery.yml -------------------------------------------------------------------------------- /queries/windows/invoke-maldoc.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/invoke-maldoc.yml -------------------------------------------------------------------------------- /queries/windows/kerberoasting.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/kerberoasting.yml -------------------------------------------------------------------------------- /queries/windows/kill_eventlog_service_threads.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/kill_eventlog_service_threads.yml -------------------------------------------------------------------------------- /queries/windows/lazagne_password_theft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/lazagne_password_theft.yml -------------------------------------------------------------------------------- /queries/windows/local_account_added_windows.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/local_account_added_windows.yml -------------------------------------------------------------------------------- /queries/windows/logon_scripts_windows.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/logon_scripts_windows.yml -------------------------------------------------------------------------------- /queries/windows/lsa_secrets_extraction.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/lsa_secrets_extraction.yml -------------------------------------------------------------------------------- /queries/windows/lsass_memory_dumping.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/lsass_memory_dumping.yml -------------------------------------------------------------------------------- /queries/windows/malicious_documents.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/malicious_documents.yml -------------------------------------------------------------------------------- /queries/windows/malicious_process_start_added_to_powershell_profile.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/malicious_process_start_added_to_powershell_profile.yml -------------------------------------------------------------------------------- /queries/windows/modified_sysinternals_accesschk.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/modified_sysinternals_accesschk.yml -------------------------------------------------------------------------------- /queries/windows/modify_or_create_windows_service.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/modify_or_create_windows_service.yml -------------------------------------------------------------------------------- /queries/windows/mshta.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/mshta.yml -------------------------------------------------------------------------------- /queries/windows/msiexec_remote_msi.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/msiexec_remote_msi.yml -------------------------------------------------------------------------------- /queries/windows/netsh_helper_dll.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/netsh_helper_dll.yml -------------------------------------------------------------------------------- /queries/windows/network_sniffing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/network_sniffing.yml -------------------------------------------------------------------------------- /queries/windows/non_windows_control_panel_item.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/non_windows_control_panel_item.yml -------------------------------------------------------------------------------- /queries/windows/ntds_copy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/ntds_copy.yml -------------------------------------------------------------------------------- /queries/windows/open_local_port_on_defender_firewall.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/open_local_port_on_defender_firewall.yml -------------------------------------------------------------------------------- /queries/windows/os_credential_dumping.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/os_credential_dumping.yml -------------------------------------------------------------------------------- /queries/windows/outlook_vba_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/outlook_vba_persistence.yml -------------------------------------------------------------------------------- /queries/windows/parent_pid_spoofing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/parent_pid_spoofing.yml -------------------------------------------------------------------------------- /queries/windows/pass_the_hash_and_pass_the_ticket.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/pass_the_hash_and_pass_the_ticket.yml -------------------------------------------------------------------------------- /queries/windows/powershell_download_cradles.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/powershell_download_cradles.yml -------------------------------------------------------------------------------- /queries/windows/powershell_gui_input_capture.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/powershell_gui_input_capture.yml -------------------------------------------------------------------------------- /queries/windows/powershell_http_form_submission.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/powershell_http_form_submission.yml -------------------------------------------------------------------------------- /queries/windows/powershell_keylogging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/powershell_keylogging.yml -------------------------------------------------------------------------------- /queries/windows/powershell_time_stomping.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/powershell_time_stomping.yml -------------------------------------------------------------------------------- /queries/windows/process_hollowing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/process_hollowing.yml -------------------------------------------------------------------------------- /queries/windows/process_injection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/process_injection.yml -------------------------------------------------------------------------------- /queries/windows/rdp_hijacking.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/rdp_hijacking.yml -------------------------------------------------------------------------------- /queries/windows/registry_credential_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/registry_credential_enumeration.yml -------------------------------------------------------------------------------- /queries/windows/registry_run_keys.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/registry_run_keys.yml -------------------------------------------------------------------------------- /queries/windows/remove_amsi_provider_reg_key.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/remove_amsi_provider_reg_key.yml -------------------------------------------------------------------------------- /queries/windows/rundll32_possible_cobalt_strike.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/rundll32_possible_cobalt_strike.yml -------------------------------------------------------------------------------- /queries/windows/scheduled_tasks_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/scheduled_tasks_creation.yml -------------------------------------------------------------------------------- /queries/windows/scheduledtaskregister.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/scheduledtaskregister.yml -------------------------------------------------------------------------------- /queries/windows/screensaver_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/screensaver_change.yml -------------------------------------------------------------------------------- /queries/windows/scripted_lateral_rdp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/scripted_lateral_rdp.yml -------------------------------------------------------------------------------- /queries/windows/secure_delete_data_destruction.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/secure_delete_data_destruction.yml -------------------------------------------------------------------------------- /queries/windows/security_support_provider.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/security_support_provider.yml -------------------------------------------------------------------------------- /queries/windows/service_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/service_created.yml -------------------------------------------------------------------------------- /queries/windows/service_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/service_disabled.yml -------------------------------------------------------------------------------- /queries/windows/service_started.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/service_started.yml -------------------------------------------------------------------------------- /queries/windows/startup_folder_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/startup_folder_persistence.yml -------------------------------------------------------------------------------- /queries/windows/startup_shortcuts.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/startup_shortcuts.yml -------------------------------------------------------------------------------- /queries/windows/unquoted_service_path_for_program.exe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/unquoted_service_path_for_program.exe.yml -------------------------------------------------------------------------------- /queries/windows/vbs_execution_from_temp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/vbs_execution_from_temp.yml -------------------------------------------------------------------------------- /queries/windows/web_shell_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/web_shell_creation.yml -------------------------------------------------------------------------------- /queries/windows/windows_logon_scripts.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/windows_logon_scripts.yml -------------------------------------------------------------------------------- /queries/windows/windows_management_instrumentation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/windows_management_instrumentation.yml -------------------------------------------------------------------------------- /queries/windows/windows_management_instrumentation_event_subscription.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/windows_management_instrumentation_event_subscription.yml -------------------------------------------------------------------------------- /queries/windows/windows_remote_management_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/windows_remote_management_execution.yml -------------------------------------------------------------------------------- /queries/windows/windows_service_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/windows_service_creation.yml -------------------------------------------------------------------------------- /queries/windows/windows_share_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/windows_share_creation.yml -------------------------------------------------------------------------------- /queries/windows/winlogon_helper_dll.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/queries/windows/winlogon_helper_dll.yml -------------------------------------------------------------------------------- /template.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/keyboardcrunch/sentinelone-queries/HEAD/template.yml --------------------------------------------------------------------------------