Sentinel One DV Chea 2

SECURITY ANALYST CHEATSHEET
QUERY SYNTAX QUERY SYNTAX

HOST/AGENT INFO PROCESS TREE
Hostname AgentName Process ID PID
OS AgentOS PID of the parent process ParentPID
Version of Agent AgentVersion Parent Process ParentProcessName
Domain name DNSRequest
Time parent process started to run ParentProcessStartTime
Site ID SiteId
Unique ID of parent process ParentProcessUniqueKey
Site name SiteName
Process command line ProcessCmd
Account ID AccountId
Display name of process ProcessDisplayName
Account Name AccountName
Generated ID of the group of
processes, from first parent to last ProcessGroupId
FILE/REGISTRY INTEGRITY generation (SentinelOne Patent)
File ID FileID
Pathname of running process ProcessImagePath
File Name FileFullName
SHA1 signature of running process ProcessImageSha1Hash
Date and time of file creation FileCreatedAt
String: SYSTEM (operating system
MD5 FileMD5 processes), HIGH (administrators),
Date and time of file change FileModifyAt MEDIUM (non-administrators), ProcessIntegrityLevel
LOW (temporary Internet files),
SHA1 signature FileSHA1
UNTRUSTED
SHA256 signature FileSHA256
Process Name ProcessName
SHA1 of file before it was changed OldFileSHA1
ID of the terminal session of a
Name of file before rename OldFileName ProcessSessionId
process
Identity of file signer Publisher
Process start time ProcessStartTime
Signature Status Signed Status
String: SYS_WIN32, SYS_WSL,
Verification Status Verified status ProcessSubSystem
SUBSYSTEM_UNKNOWN
Why not verified Why not verified
Unique ID of process ProcessUniqueKey
Registry Key Unique ID RegistryID
PID after relinked Rpid
Full path location of the
RegistryPath Thread ID Tid
Registry Key entry
ID of all objects associated TrueContext
with a detection
NETWORK DATA
String: GET, POST, PUT, DELETE NetworkMethod Username User
URL NetworkUrl
SCHEDULED TASKS
DNS response data DNSResponse
IP address of the destination DstIP Name of a scheduled task TaskName
Port number of destination DstPort Full path location of a

TaskPath
scheduled task
IP address of traffic source SrcIP
The file who has been executed executable file
Port number of traffic source SrcPort
Browser type Source
www.SentinelOne.com | Sales@SentinelOne.com | +1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043

HUNTING QUERIES
QUERY SYNTAX QUERY SYNTAX
ProcessCmd RegExp "net\s+user(?:(?!\s+/add) Clear Windows Event Logs ProcessCmd ContainsCIS "wevtutil cl system"
Net User Add User (?:.|\n))*\s+/add" Powershell or Wevtutil OR ProcessCmd ContainsCIS "Clear-EventLog"
processCmd = "REG ADD HKLM\SYSTEM\ ProcessCmd ContainsCIS "netsh firewall"
Enable SMBv1 CurrentControlSet\Services\LanmanServer\ netsh disable firewall AND ProcessCmd ContainsCIS "disable"
Parameters /v SMB1 /t REG_DWORD /d 1 /f"
Query logged in Users ProcessCmd ContainsCIS "quser"
Unusual Schedule ProcessCmd ContainsCIS "schtasks" AND
Task Created processName != "Manages scheduled tasks" Qwinsta - Display
information Terminal ProcessCmd ContainsCIS "qwinsta"
Powershell with Net DstIP Is Not Empty AND ProcessName Sessions
connections ContainsCIS "powershell"
Current Running Processes ProcessCmd ContainsCIS "tasklist"
(ProcessName ContainsCIS "windows command
processor" OR ProcessName ContainsCIS Net User - Query a User ProcessCmd ContainsCIS "net user"
Shell Process Creating File "powershell") AND FileModifyAt > "Mar 26,
2017 00:00:39" Query Network Shares ProcessCmd ContainsCIS "net share"
(ProcessName ContainsCIS "windows command Query Account &

ProcessCmd ContainsCIS "net accounts"
processor" OR ProcessName ContainsCIS Password Policy
Shell Process Modify or File "powershell") AND (FileModifyAt > "Mar 26,
Net Config - Query
2017 00:00:10" OR FileCreatedAt > "Mar 26, ProcessCmd ContainsCIS "net config
2017 00:00:31") Workstation Current Settings workstation"
Registry Alteration via ProcessCmd RegExp "reg\s+add" OR ProcessCmd Query AD ProcessCmd ContainsCIS "dsquery"
Command line RegExp "reg\s+del" ProcessCmd ContainsCIS "wmic useraccount get"
WMIC user account list OR ProcessCmd RegExp "wmic useraccount list"
processImagePath = "C:\Windows\System32\
svchost.exe running in a svchost.exe" AND User != "NT AUTHORITY\ WMIC NT Domain
SYSTEM" AND User != "NT AUTHORITY\LOCAL ProcessCmd ContainsCIS "wmic ntdomain"
unusual user context Object Query
SERVICE" AND User != "NT AUTHORITY\NETWORK
SERVICE" WMIC Group List on
ProcessCmd ContainsCIS "wmic group list"
Powershell runnning as Local System
ProcessName ContainsCIS "powershell" AND User
system user ContainsCIS "SYSTEM" WMIC List built in ProcessCmd ContainsCIS "wmic
ParentProcessName = "Windows PowerShell" AND System Accounts sysaccount list"
Powershell Scheduled
ProcessName = "Task Scheduler Configuration Reg Query - last 10 files ProcessCmd ContainsCIS "RecentDocs" AND
Tasks Created Tool" accessed or executed ProcessCmd ContainsCIS "REG QUERY" AND
FileCreatedAt > "Apr 2, 2017 00:00:03" AND by explorer ProcessCmd ContainsCIS "explorer"
Executable Created ProcessName ContainsCIS ".exe"
ProcessCmd ContainsCIS "Runonce" AND
Reg Query - RunOnce ProcessCmd ContainsCIS "REG QUERY"
ProcessName ContainsCIS "Host Process for
Suspicious Parent Windows Services" AND ParentProcessName !=
"Host Process for Windows Services" AND Reg Query - Check Patterns ProcessCmd ContainsCIS "Reg Query"
Process svchost.exe ParentProcessName != "Services and Controller AND ProcessCmd ContainsCIS "Disk" AND
for Virtual Machines ProcessCmd ContainsCIS "Enum"
app"
ParentProcessName = "Insert Vulnerable Query Group Policy
ProcessCmd ContainsCIS "gpresult"
Application name from Applications Tab" AND RSOP Data
Vulnerable App
(ProcessName ContainsCIS "Windows Command System Info - windows ProcessCmd ContainsCIS "systeminfo"
launching shell Processor" OR ProcessName ContainsCIS
"Powershell") ProcessCmd ContainsCIS "systeminfo" OR
ProcessCmd RegExp "ver >" OR ProcessCmd
Excel Running Shell ParentProcessName ContainsCIS "excel" AND System Info and RegExp "type\s+%APPDATA%" OR ProcessCmd
(ProcessName ContainsCIS "sh" OR ProcessName
or Python ContainsCIS "python") Network data gathering RegExp "ipconfig" OR ProcessCmd RegExp "net\
s+view" OR ProcessCmd RegExp "arp -a" OR
Whoami ProcessCmd ContainsCIS "whoami" ProcessCmd RegExp "netstat"
Powershell Get processCmd RegExp "powershell\.exe\s+echo\ WMIC Process Get - Process
ProcessCmd RegExp "wmic\s+process\s+get"
Clipboard Entry s+Get\-Process\s+\|\s+clip" data and sub commands
Powershell Get processCmd ContainsCIS "powershell.exe echo WMIC qfe - Gather
ProcessCmd ContainsCIS "wmic qfe"
Running Processes Get-Process" Windows Patch Data
Powershell Search processCmd ContainsCIS "powershell Get- ProcessName ContainsCIS "powershell"
for Doc Files ChildItem -Recurse -Include *.doc" AND (ProcessCmd ContainsCIS "Invoke-
Powershell suspicious Expression" OR ProcessCmd ContainsCIS
Find string processCmd ContainsCIS "findstr" "-encodedcommand" OR ProcessCmd ContainsCIS
commands "hidden" OR ProcessCmd ContainsCIS "write-
Windows 10 Get host" OR ProcessCmd ContainsCIS "Get-
ProcessCmd ContainsCIS "wmic nic"
Network Adaptor Details NetIPConfiguration")
Execute File in processCmd ContainsCIS "/FILE" AND ProcessCmd echo command ProcessCmd ContainsCIS "echo"
Appdata folder ContainsCIS "Appdata"
regsvr32 and scrobj.dll ProcessCmd ContainsCIS "regsvr32" AND
Nslookup ProcessCmd ContainsCIS "nslookup" register-unregister dll ProcessCmd ContainsCIS "scrobj.dll"
Net User Delete User

ProcessCmd RegExp "net\s+user(?:(?!\s+/ regsvr32 suspicious processName = "Microsoft(C) Register Server"
delete)(?:.|\n))*\s+/delete" downloads AND DstIP Is Not Empty
ProcessCmd RegExp "net\s+user(?:(?!\s+/ regsvr32 suspicious processName = "Microsoft(C) Register Server"
Net User Domain domain)(?:.|\n))*\s+/domain" file modification AND FileModifyAt > "Mar 1, 2019 00:00:45"
Add user to AD ProcessCmd ContainsCIS "dsadd user" ProcessCmd ContainsCIS "regsvr32" AND
ProcessCmd ContainsCIS "powershell.exe (RegistryPath ContainsCIS "machine\software\
Powershell add local user regsvr32 Persistence classes" OR ProcessCmd ContainsCIS "schtasks\
New-LocalUser"
s+/create")
Powershell upload or ProcessCmd ContainsCIS "(New-Object Net.
download methods Webclient)" ProcessCmd ContainsCIS "bitsadmin" AND
Bitsadmin suspicious (ProcessCmd ContainsCIS "transfer" OR
ProcessCmd ContainsCIS "setspn" AND ProcessCmd ContainsCIS "download" OR
Suspicious - List all commands ProcessCmd ContainsCIS ".ps1" OR ProcessCmd
ProcessCmd RegExp "-t" AND ProcessCmd RegExp
SPNs in a Domain "-q */*" ContainsCIS "powershell")
ProcessCmd ContainsCIS "vssadmin.exe list ProcessCmd ContainsCIS "reg add" AND
list vssadmin shadows shadows" Registry Persistence (ProcessCmd ContainsCIS "Run" OR ProcessCmd
ContainsCIS "Null")
Add user or Query local ProcessCmd ContainsCIS "net localgroup
admin group administrators" ProcessCmd ContainsCIS "copy" OR ProcessCmd
Copy commands ContainsCIS "xcopy"
Change firewall
ProcessCmd ContainsCIS "netsh advfirewall"
profile settings
www.SentinelOne.com | Sales@SentinelOne.com
+1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043

Sentinel One DV Chea 2

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sentinel One DV Chea 2

Uploaded by

Copyright:

Available Formats

SECURITY ANALYST CHEATSHEET

QUERY SYNTAX QUERY SYNTAX

Port number of destination DstPort Full path location of a

www.SentinelOne.com | Sales@SentinelOne.com | +1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043

(ProcessName ContainsCIS "windows command Query Account &

Net User Delete User

You might also like