HOST/AGENT INFO PROCESS TREE Hostname AgentName Process ID PID OS AgentOS PID of the parent process ParentPID Version of agent AgentVersion Parent process ParentProcessName Domain name DNSRequest Time parent process started to run ParentProcessStartTime Site token SiteId Unique ID of parent process ParentProcessUniqueKey Site name SiteName Process command line ProcessCmd Display name of process ProcessDisplayName FILE/REGISTRY INTEGRITY Generated ID of the group of processes, from first parent ProcessGroupId File ID FileID to last generation (SentinelOne Patent)
File name FileFullName Pathname of running process ProcessImagePath
Date and time of file creation FileCreatedAt SHA1 signature of running process ProcessImageSha1Hash
MD5 FileMD5 String: SYSTEM (operating system processes), HIGH ProcessIntegrityLevel
(administrators), MEDIUM (non-administrators), LOW Date and time of file change FileModifyAt (temporary Internet files), UNTRUSTED SHA1 signature FileSHA1 Process Name ProcessName SHA256 signature FileSHA256 ID of the terminal session of a process ProcessSessionId SHA1 of file before it was changed OldFileSHA1 Process start time ProcessStartTime Name of file before rename OldFileName String: SYS_WIN32, SYS_WSL, SUBSYSTEM_UNKNOWN ProcessSubSystem Identity of file signer Signer Unique ID of process ProcessUniqueKey Registry key unique ID RegistryID PID after relinked Rpid Full path location of the Registry Key entry RegistryPath Thread ID Tid ID of all objects associated with a detection TrueContext NETWORK DATA Username User String: GET, POST, PUT, DELETE NetworkMethod URL NetworkUrl SCHEDULED TASKS DNS response data DNSResponse Name of a scheduled task TaskName IP address of the destination DstIP Full path location of a scheduled task TaskPath Port number of destination DstPort IP address of traffic source SrcIP Port number of traffic source SrcPort
S1QL CHEATSHEET FOR SECURITY ANALYSIS QUERY SUBJECT SYNTAX QUERY SUBJECT SYNTAX HOST/AGENT INFO PROCESS TREE Hostname AgentName Process ID PID OS AgentOS PID of the parent process ParentPID Version of agent AgentVersion Parent process ParentProcessName Domain name DNSRequest Time parent process started to run ParentProcessStartTime Site token SiteId Unique ID of parent process ParentProcessUniqueKey Site name SiteName Process command line ProcessCmd Display name of process ProcessDisplayName FILE/REGISTRY INTEGRITY Generated ID of the group of processes, from first parent ProcessGroupId File ID FileID to last generation (SentinelOne Patent)
File name FileFullName Pathname of running process ProcessImagePath
Date and time of file creation FileCreatedAt SHA1 signature of running process ProcessImageSha1Hash
MD5 FileMD5 String: SYSTEM (operating system processes), HIGH ProcessIntegrityLevel
(administrators), MEDIUM (non-administrators), LOW Date and time of file change FileModifyAt (temporary Internet files), UNTRUSTED SHA1 signature FileSHA1 Process Name ProcessName SHA256 signature FileSHA256 ID of the terminal session of a process ProcessSessionId SHA1 of file before it was changed OldFileSHA1 Process start time ProcessStartTime Name of file before rename OldFileName String: SYS_WIN32, SYS_WSL, SUBSYSTEM_UNKNOWN ProcessSubSystem Identity of file signer Signer Unique ID of process ProcessUniqueKey Registry key unique ID RegistryID PID after relinked Rpid Full path location of the Registry Key entry RegistryPath Thread ID Tid ID of all objects associated with a detection TrueContext NETWORK DATA Username User String: GET, POST, PUT, DELETE NetworkMethod URL NetworkUrl SCHEDULED TASKS DNS response data DNSResponse Name of a scheduled task TaskName IP address of the destination DstIP Full path location of a scheduled task TaskPath Port number of destination DstPort IP address of traffic source SrcIP Port number of traffic source SrcPort
WATCHLIST NAME QUERY WATCHLIST NAME QUERY WATCHLIST NAME QUERY
ProcessCmd RegExp “net\s+user(?:(?!\s+/add) Windows 10 Get WMIC Group List
Net User Add User ProcessCmd RegExp “wmic group list” (?:.|\n))*\s+/add” Network Adaptor ProcessCmd RegExp “wmic nic” on Local System Details processCmd = “REG ADD HKLM\SYSTEM\ WMIC List built in ProcessCmd RegExp “wmic sysaccount list” Enable SMBv1 CurrentControlSet\Services\LanmanServer\ Execute File in processCmd RegExp “/FILE” AND ProcessCmd System Accounts Parameters /v SMB1 /t REG_DWORD /d 1 /f” Appdata folder RegExp “Appdata” Reg Query - last 10 ProcessCmd RegExp “RecentDocs” AND Unusual Schedule ProcessCmd RegExp “schtasks” AND Nslookup ProcessCmd RegExp “nslookup” files accessed or ProcessCmd RegExp “REG QUERY” AND Task Created processName != “Manages scheduled tasks” executed by explorer ProcessCmd RegExp “explorer” ProcessCmd RegExp “net\s+user(?:(?!\s+/ Powershell with Net DstIP Is Not Empty AND ProcessName Net User Delete User ProcessCmd RegExp “Runonce” AND delete)(?:.|\n))*\s+/delete” Reg Query - RunOnce connections RegExp “powershell” ProcessCmd RegExp “REG QUERY” ProcessCmd RegExp “net\s+user(?:(?!\s+/ ( ProcessName RegExp “windows command Net User Domain Reg Query - Check ProcessCmd RegExp “Reg Query” AND domain)(?:.|\n))*\s+/domain” Shell Process processor” OR ProcessName RegExp Patterns for Virtual ProcessCmd RegExp “Disk” AND ProcessCmd Creating File “powershell” ) AND FileModifyAt > Add user to AD ProcessCmd Contains “dsadd user” Machines RegExp “Enum” “Mar 26, 2017 00:00:39” Powershell add ProcessCmd RegExp “powershell.exe New- Query Group Policy ProcessCmd RegExp “gpresult” ( ProcessName RegExp “windows command local user LocalUser” RSOP Data processor” OR ProcessName RegExp Shell Process Modify Powershell upload or ProcessCmd RegExp “(New-Object Net. System Info - windows ProcessCmd RegExp “systeminfo” “powershell” ) AND ( FileModifyAt > or File download methods Webclient)” “Mar 26, 2017 00:00:10” OR FileCreatedAt > ProcessCmd RegExp “systeminfo” “Mar 26, 2017 00:00:31” ) ProcessCmd RegExp “setspn” AND OR ProcessCmd RegExp “ver >” OR Suspicious - List all Registry Alteration ProcessCmd RegExp “reg\s+add” OR ProcessCmd RegExp “-t” AND ProcessCmd System Info and ProcessCmd RegExp “type\s+%APPDATA%” SPNs in a Domain via Command line ProcessCmd RegExp “reg\s+del” RegExp “-q */*” Network data OR ProcessCmd RegExp “ipconfig” OR gathering ProcessCmd RegExp “net\s+view” OR processImagePath = “C:\Windows\System32\ ProcessCmd RegExp “vssadmin.exe list list vssadmin shadows ProcessCmd RegExp “arp -a” OR ProcessCmd svchost.exe” AND User != “NT AUTHORITY\ shadows” svchost.exe running in RegExp “netstat” SYSTEM” AND User != “NT AUTHORITY\LOCAL a unusual user context Add user or Query ProcessCmd RegExp “net localgroup SERVICE” AND User != “NT AUTHORITY\ WMIC Process local admin group administrators” NETWORK SERVICE” Get - Process data ProcessCmd RegExp “wmic\s+process\s+get” Change firewall profile and sub commands Powershell runnning ProcessName RegExp “powershell” AND User ProcessCmd RegExp “netsh advfirewall” settings as system user RegExp “SYSTEM” WMIC qfe - Gather ProcessCmd RegExp “wmic qfe” Clear Windows Event Windows Patch Data ParentProcessName = “Windows PowerShell” ProcessCmd RegExp “wevtutil cl system” OR Powershell Scheduled Logs Powershell or AND ProcessName = “Task Scheduler ProcessCmd RegExp “Clear-EventLog” ProcessName RegExp “powershell” AND Tasks Created Wevtutil Configuration Tool” (ProcessCmd RegExp “Invoke-Expression” OR ProcessCmd RegExp “netsh firewall” AND Powershell suspicious ProcessCmd RegExp “-encodedcommand” OR FileCreatedAt > “Apr 2, 2017 00:00:03” AND Netsh disable firewall commands ProcessCmd RegExp “hidden” OR ProcessCmd Executable Created ProcessCmd RegExp “disable” ProcessName RegExp “.exe” RegExp “write-host” OR ProcessCmd RegExp ProcessName RegExp “Host Process for Query logged in Users ProcessCmd RegExp “quser” “Get-NetIPConfiguration”) Windows Services” AND ParentProcessName Qwinsta - Display Suspicious Parent echo command ProcessCmd RegExp “echo” != “Host Process for Windows Services” information Terminal ProcessCmd RegExp “qwinsta” Process svchost.exe AND ParentProcessName != “Services and Sessions regsvr32 and scrobj.dll ProcessCmd RegExp “regsvr32” AND Controller app” register-unregister dll ProcessCmd RegExp “scrobj.dll” Current Running ParentProcessName = “Insert Vulnerable ProcessCmd RegExp “tasklist” regsvr32 suspicious processName = “Microsoft(C) Register Server” Processes Application name from Applications Tab” AND downloads AND DstIP Is Not Empty Vulnerable App ( ProcessName RegExp “Windows Command Net User - Query launching shell ProcessCmd RegExp “net user” regsvr32 suspicious processName = “Microsoft(C) Register Server” Processor” OR ProcessName RegExp a User “Powershell” ) file modification AND FileModifyAt > “Mar 1, 2019 00:00:45” Query Network Shares ProcessCmd RegExp “net share” ParentProcessName RegExp “excel” AND ProcessCmd RegExp “regsvr32” AND Excel Running Shell (RegistryPath Contains “machine\software\ (ProcessName RegExp “sh” OR ProcessName Query Account & or Python ProcessCmd RegExp “net accounts” regsvr32 Persistence RegExp “python”) Password Policy classes” OR ProcessCmd RegExp “schtasks\ s+/create”) Whoami ProcessCmd RegExp “whoami” Net Config - Query Workstation Current ProcessCmd RegExp “net config workstation” ProcessCmd RegExp “bitsadmin” AND Powershell Get processCmd RegExp “powershell\.exe\ Settings (ProcessCmd RegExp “transfer” OR Bitsadmin suspicious Clipboard Entry s+echo\s+Get\-Process\s+\|\s+clip” ProcessCmd RegExp “download” OR Query AD ProcessCmd RegExp “dsquery” commands ProcessCmd RegExp “.ps1” OR ProcessCmd Powershell Get processCmd RegExp “powershell.exe echo RegExp “powershell”) Running Processes Get-Process” ProcessCmd RegExp “wmic useraccount get” WMIC user OR ProcessCmd RegExp “wmic useraccount ProcessCmd RegExp “reg add» AND Powershell Search processCmd Contains “powershell account list list” Registry Persistence (ProcessCmd RegExp “Run” OR ProcessCmd for Doc Files Get-ChildItem -Recurse -Include *.doc” RegExp “Null”) WMIC NT Domain Find string processCmd Contains “findstr” ProcessCmd RegExp “wmic ntdomain” Object Query ProcessCmd RegExp “copy” OR ProcessCmd Copy commands RegExp “xcopy”