Scribd Logo
Upload

Welcome to Scribd!

  • SentinelOne DV Cheatsheet Opt2-2

    Uploaded by

    gobf
    110 views3 pages

    Original Title

    SentinelOne_DV_Cheatsheet_Opt2-2

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    110 views3 pages

    SentinelOne DV Cheatsheet Opt2-2

    Uploaded by

    gobf

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    S1QL CHEATSHEET FOR SECURITY ANALYSIS

    QUERY SUBJECT SYNTAX QUERY SUBJECT SYNTAX


    HOST/AGENT INFO PROCESS TREE
    Hostname AgentName Process ID PID
    OS AgentOS PID of the parent process ParentPID
    Version of agent AgentVersion Parent process ParentProcessName
    Domain name DNSRequest Time parent process started to run ParentProcessStartTime
    Site token SiteId Unique ID of parent process ParentProcessUniqueKey
    Site name SiteName Process command line ProcessCmd
    Display name of process ProcessDisplayName
    FILE/REGISTRY INTEGRITY Generated ID of the group of processes, from first parent ProcessGroupId
    File ID FileID to last generation (SentinelOne Patent)

    File name FileFullName Pathname of running process ProcessImagePath

    Date and time of file creation FileCreatedAt SHA1 signature of running process ProcessImageSha1Hash

    MD5 FileMD5 String: SYSTEM (operating system processes), HIGH ProcessIntegrityLevel


    (administrators), MEDIUM (non-administrators), LOW
    Date and time of file change FileModifyAt (temporary Internet files), UNTRUSTED
    SHA1 signature FileSHA1 Process Name ProcessName
    SHA256 signature FileSHA256 ID of the terminal session of a process ProcessSessionId
    SHA1 of file before it was changed OldFileSHA1 Process start time ProcessStartTime
    Name of file before rename OldFileName String: SYS_WIN32, SYS_WSL, SUBSYSTEM_UNKNOWN ProcessSubSystem
    Identity of file signer Signer Unique ID of process ProcessUniqueKey
    Registry key unique ID RegistryID PID after relinked Rpid
    Full path location of the Registry Key entry RegistryPath Thread ID Tid
    ID of all objects associated with a detection TrueContext
    NETWORK DATA Username User
    String: GET, POST, PUT, DELETE NetworkMethod
    URL NetworkUrl SCHEDULED TASKS
    DNS response data DNSResponse Name of a scheduled task TaskName
    IP address of the destination DstIP Full path location of a scheduled task TaskPath
    Port number of destination DstPort
    IP address of traffic source SrcIP
    Port number of traffic source SrcPort

    www.SentinelOne.com  |  Sales@SentinelOne.com  |  +1-855-868-3733  |  605 Fairchild Dr, Mountain View, CA 94043


    S1QL CHEATSHEET FOR SECURITY ANALYSIS
    QUERY SUBJECT SYNTAX QUERY SUBJECT SYNTAX
    HOST/AGENT INFO PROCESS TREE
    Hostname AgentName Process ID PID
    OS AgentOS PID of the parent process ParentPID
    Version of agent AgentVersion Parent process ParentProcessName
    Domain name DNSRequest Time parent process started to run ParentProcessStartTime
    Site token SiteId Unique ID of parent process ParentProcessUniqueKey
    Site name SiteName Process command line ProcessCmd
    Display name of process ProcessDisplayName
    FILE/REGISTRY INTEGRITY Generated ID of the group of processes, from first parent ProcessGroupId
    File ID FileID to last generation (SentinelOne Patent)

    File name FileFullName Pathname of running process ProcessImagePath

    Date and time of file creation FileCreatedAt SHA1 signature of running process ProcessImageSha1Hash

    MD5 FileMD5 String: SYSTEM (operating system processes), HIGH ProcessIntegrityLevel


    (administrators), MEDIUM (non-administrators), LOW
    Date and time of file change FileModifyAt (temporary Internet files), UNTRUSTED
    SHA1 signature FileSHA1 Process Name ProcessName
    SHA256 signature FileSHA256 ID of the terminal session of a process ProcessSessionId
    SHA1 of file before it was changed OldFileSHA1 Process start time ProcessStartTime
    Name of file before rename OldFileName String: SYS_WIN32, SYS_WSL, SUBSYSTEM_UNKNOWN ProcessSubSystem
    Identity of file signer Signer Unique ID of process ProcessUniqueKey
    Registry key unique ID RegistryID PID after relinked Rpid
    Full path location of the Registry Key entry RegistryPath Thread ID Tid
    ID of all objects associated with a detection TrueContext
    NETWORK DATA Username User
    String: GET, POST, PUT, DELETE NetworkMethod
    URL NetworkUrl SCHEDULED TASKS
    DNS response data DNSResponse Name of a scheduled task TaskName
    IP address of the destination DstIP Full path location of a scheduled task TaskPath
    Port number of destination DstPort
    IP address of traffic source SrcIP
    Port number of traffic source SrcPort

    www.SentinelOne.com | Sales@SentinelOne.com  |  +1-855-868-3733  |  605 Fairchild Dr, Mountain View, CA 94043


    WATCHLIST NAME QUERY WATCHLIST NAME QUERY WATCHLIST NAME QUERY

    ProcessCmd RegExp “net\s+user(?:(?!\s+/add) Windows 10 Get WMIC Group List


    Net User Add User ProcessCmd RegExp “wmic group list”
    (?:.|\n))*\s+/add” Network Adaptor ProcessCmd RegExp “wmic nic” on Local System
    Details
    processCmd = “REG ADD HKLM\SYSTEM\ WMIC List built in
    ProcessCmd RegExp “wmic sysaccount list”
    Enable SMBv1 CurrentControlSet\Services\LanmanServer\ Execute File in processCmd RegExp “/FILE” AND ProcessCmd System Accounts
    Parameters /v SMB1 /t REG_DWORD /d 1 /f” Appdata folder RegExp “Appdata”
    Reg Query - last 10 ProcessCmd RegExp “RecentDocs” AND
    Unusual Schedule ProcessCmd RegExp “schtasks” AND Nslookup ProcessCmd RegExp “nslookup” files accessed or ProcessCmd RegExp “REG QUERY” AND
    Task Created processName != “Manages scheduled tasks” executed by explorer ProcessCmd RegExp “explorer”
    ProcessCmd RegExp “net\s+user(?:(?!\s+/
    Powershell with Net DstIP Is Not Empty AND ProcessName Net User Delete User ProcessCmd RegExp “Runonce” AND
    delete)(?:.|\n))*\s+/delete” Reg Query - RunOnce
    connections RegExp “powershell” ProcessCmd RegExp “REG QUERY”
    ProcessCmd RegExp “net\s+user(?:(?!\s+/
    ( ProcessName RegExp “windows command Net User Domain Reg Query - Check ProcessCmd RegExp “Reg Query” AND
    domain)(?:.|\n))*\s+/domain”
    Shell Process processor” OR ProcessName RegExp Patterns for Virtual ProcessCmd RegExp “Disk” AND ProcessCmd
    Creating File “powershell” ) AND FileModifyAt > Add user to AD ProcessCmd Contains “dsadd user” Machines RegExp “Enum”
    “Mar 26, 2017 00:00:39”
    Powershell add ProcessCmd RegExp “powershell.exe New- Query Group Policy
    ProcessCmd RegExp “gpresult”
    ( ProcessName RegExp “windows command local user LocalUser” RSOP Data
    processor” OR ProcessName RegExp
    Shell Process Modify Powershell upload or ProcessCmd RegExp “(New-Object Net. System Info - windows ProcessCmd RegExp “systeminfo”
    “powershell” ) AND ( FileModifyAt >
    or File download methods Webclient)”
    “Mar 26, 2017 00:00:10” OR FileCreatedAt >
    ProcessCmd RegExp “systeminfo”
    “Mar 26, 2017 00:00:31” )
    ProcessCmd RegExp “setspn” AND OR ProcessCmd RegExp “ver >” OR
    Suspicious - List all
    Registry Alteration ProcessCmd RegExp “reg\s+add” OR ProcessCmd RegExp “-t” AND ProcessCmd System Info and ProcessCmd RegExp “type\s+%APPDATA%”
    SPNs in a Domain
    via Command line ProcessCmd RegExp “reg\s+del” RegExp “-q */*” Network data OR ProcessCmd RegExp “ipconfig” OR
    gathering ProcessCmd RegExp “net\s+view” OR
    processImagePath = “C:\Windows\System32\ ProcessCmd RegExp “vssadmin.exe list
    list vssadmin shadows ProcessCmd RegExp “arp -a” OR ProcessCmd
    svchost.exe” AND User != “NT AUTHORITY\ shadows”
    svchost.exe running in RegExp “netstat”
    SYSTEM” AND User != “NT AUTHORITY\LOCAL
    a unusual user context Add user or Query ProcessCmd RegExp “net localgroup
    SERVICE” AND User != “NT AUTHORITY\ WMIC Process
    local admin group administrators”
    NETWORK SERVICE” Get - Process data ProcessCmd RegExp “wmic\s+process\s+get”
    Change firewall profile and sub commands
    Powershell runnning ProcessName RegExp “powershell” AND User ProcessCmd RegExp “netsh advfirewall”
    settings
    as system user RegExp “SYSTEM” WMIC qfe - Gather
    ProcessCmd RegExp “wmic qfe”
    Clear Windows Event Windows Patch Data
    ParentProcessName = “Windows PowerShell” ProcessCmd RegExp “wevtutil cl system” OR
    Powershell Scheduled Logs Powershell or
    AND ProcessName = “Task Scheduler ProcessCmd RegExp “Clear-EventLog” ProcessName RegExp “powershell” AND
    Tasks Created Wevtutil
    Configuration Tool” (ProcessCmd RegExp “Invoke-Expression” OR
    ProcessCmd RegExp “netsh firewall” AND Powershell suspicious ProcessCmd RegExp “-encodedcommand” OR
    FileCreatedAt > “Apr 2, 2017 00:00:03” AND Netsh disable firewall commands ProcessCmd RegExp “hidden” OR ProcessCmd
    Executable Created ProcessCmd RegExp “disable”
    ProcessName RegExp “.exe” RegExp “write-host” OR ProcessCmd RegExp
    ProcessName RegExp “Host Process for Query logged in Users ProcessCmd RegExp “quser” “Get-NetIPConfiguration”)
    Windows Services” AND ParentProcessName Qwinsta - Display
    Suspicious Parent echo command ProcessCmd RegExp “echo”
    != “Host Process for Windows Services” information Terminal ProcessCmd RegExp “qwinsta”
    Process svchost.exe
    AND ParentProcessName != “Services and Sessions regsvr32 and scrobj.dll ProcessCmd RegExp “regsvr32” AND
    Controller app” register-unregister dll ProcessCmd RegExp “scrobj.dll”
    Current Running
    ParentProcessName = “Insert Vulnerable ProcessCmd RegExp “tasklist” regsvr32 suspicious processName = “Microsoft(C) Register Server”
    Processes
    Application name from Applications Tab” AND downloads AND DstIP Is Not Empty
    Vulnerable App
    ( ProcessName RegExp “Windows Command Net User - Query
    launching shell ProcessCmd RegExp “net user” regsvr32 suspicious processName = “Microsoft(C) Register Server”
    Processor” OR ProcessName RegExp a User
    “Powershell” ) file modification AND FileModifyAt > “Mar 1, 2019 00:00:45”
    Query Network Shares ProcessCmd RegExp “net share”
    ParentProcessName RegExp “excel” AND ProcessCmd RegExp “regsvr32” AND
    Excel Running Shell (RegistryPath Contains “machine\software\
    (ProcessName RegExp “sh” OR ProcessName Query Account &
    or Python ProcessCmd RegExp “net accounts” regsvr32 Persistence
    RegExp “python”) Password Policy classes” OR ProcessCmd RegExp “schtasks\
    s+/create”)
    Whoami ProcessCmd RegExp “whoami” Net Config - Query
    Workstation Current ProcessCmd RegExp “net config workstation” ProcessCmd RegExp “bitsadmin” AND
    Powershell Get processCmd RegExp “powershell\.exe\ Settings (ProcessCmd RegExp “transfer” OR
    Bitsadmin suspicious
    Clipboard Entry s+echo\s+Get\-Process\s+\|\s+clip” ProcessCmd RegExp “download” OR
    Query AD ProcessCmd RegExp “dsquery” commands
    ProcessCmd RegExp “.ps1” OR ProcessCmd
    Powershell Get processCmd RegExp “powershell.exe echo RegExp “powershell”)
    Running Processes Get-Process” ProcessCmd RegExp “wmic useraccount get”
    WMIC user
    OR ProcessCmd RegExp “wmic useraccount ProcessCmd RegExp “reg add» AND
    Powershell Search processCmd Contains “powershell account list
    list” Registry Persistence (ProcessCmd RegExp “Run” OR ProcessCmd
    for Doc Files Get-ChildItem -Recurse -Include *.doc” RegExp “Null”)
    WMIC NT Domain
    Find string processCmd Contains “findstr” ProcessCmd RegExp “wmic ntdomain”
    Object Query ProcessCmd RegExp “copy” OR ProcessCmd
    Copy commands
    RegExp “xcopy”

    www.SentinelOne.com | Sales@SentinelOne.com  |  +1-855-868-3733  |  605 Fairchild Dr, Mountain View, CA 94043

    You might also like