Professional Documents
Culture Documents
Sentinel One DV Chea 2
Sentinel One DV Chea 2
URL NetworkUrl
SCHEDULED TASKS
DNS response data DNSResponse
IP address of the destination DstIP Name of a scheduled task TaskName
Registry Alteration via ProcessCmd RegExp "reg\s+add" OR ProcessCmd Query AD ProcessCmd ContainsCIS "dsquery"
Command line RegExp "reg\s+del" ProcessCmd ContainsCIS "wmic useraccount get"
WMIC user account list OR ProcessCmd RegExp "wmic useraccount list"
processImagePath = "C:\Windows\System32\
svchost.exe running in a svchost.exe" AND User != "NT AUTHORITY\ WMIC NT Domain
SYSTEM" AND User != "NT AUTHORITY\LOCAL ProcessCmd ContainsCIS "wmic ntdomain"
unusual user context Object Query
SERVICE" AND User != "NT AUTHORITY\NETWORK
SERVICE" WMIC Group List on
ProcessCmd ContainsCIS "wmic group list"
Powershell runnning as Local System
ProcessName ContainsCIS "powershell" AND User
system user ContainsCIS "SYSTEM" WMIC List built in ProcessCmd ContainsCIS "wmic
ParentProcessName = "Windows PowerShell" AND System Accounts sysaccount list"
Powershell Scheduled
ProcessName = "Task Scheduler Configuration Reg Query - last 10 files ProcessCmd ContainsCIS "RecentDocs" AND
Tasks Created Tool" accessed or executed ProcessCmd ContainsCIS "REG QUERY" AND
FileCreatedAt > "Apr 2, 2017 00:00:03" AND by explorer ProcessCmd ContainsCIS "explorer"
Executable Created ProcessName ContainsCIS ".exe"
ProcessCmd ContainsCIS "Runonce" AND
Reg Query - RunOnce ProcessCmd ContainsCIS "REG QUERY"
ProcessName ContainsCIS "Host Process for
Suspicious Parent Windows Services" AND ParentProcessName !=
"Host Process for Windows Services" AND Reg Query - Check Patterns ProcessCmd ContainsCIS "Reg Query"
Process svchost.exe ParentProcessName != "Services and Controller AND ProcessCmd ContainsCIS "Disk" AND
for Virtual Machines ProcessCmd ContainsCIS "Enum"
app"
ParentProcessName = "Insert Vulnerable Query Group Policy
ProcessCmd ContainsCIS "gpresult"
Application name from Applications Tab" AND RSOP Data
Vulnerable App
(ProcessName ContainsCIS "Windows Command System Info - windows ProcessCmd ContainsCIS "systeminfo"
launching shell Processor" OR ProcessName ContainsCIS
"Powershell") ProcessCmd ContainsCIS "systeminfo" OR
ProcessCmd RegExp "ver >" OR ProcessCmd
Excel Running Shell ParentProcessName ContainsCIS "excel" AND System Info and RegExp "type\s+%APPDATA%" OR ProcessCmd
(ProcessName ContainsCIS "sh" OR ProcessName
or Python ContainsCIS "python") Network data gathering RegExp "ipconfig" OR ProcessCmd RegExp "net\
s+view" OR ProcessCmd RegExp "arp -a" OR
Whoami ProcessCmd ContainsCIS "whoami" ProcessCmd RegExp "netstat"
Powershell Get processCmd RegExp "powershell\.exe\s+echo\ WMIC Process Get - Process
ProcessCmd RegExp "wmic\s+process\s+get"
Clipboard Entry s+Get\-Process\s+\|\s+clip" data and sub commands
Powershell Get processCmd ContainsCIS "powershell.exe echo WMIC qfe - Gather
ProcessCmd ContainsCIS "wmic qfe"
Running Processes Get-Process" Windows Patch Data
Powershell Search processCmd ContainsCIS "powershell Get- ProcessName ContainsCIS "powershell"
for Doc Files ChildItem -Recurse -Include *.doc" AND (ProcessCmd ContainsCIS "Invoke-
Powershell suspicious Expression" OR ProcessCmd ContainsCIS
Find string processCmd ContainsCIS "findstr" "-encodedcommand" OR ProcessCmd ContainsCIS
commands "hidden" OR ProcessCmd ContainsCIS "write-
Windows 10 Get host" OR ProcessCmd ContainsCIS "Get-
ProcessCmd ContainsCIS "wmic nic"
Network Adaptor Details NetIPConfiguration")
Execute File in processCmd ContainsCIS "/FILE" AND ProcessCmd echo command ProcessCmd ContainsCIS "echo"
Appdata folder ContainsCIS "Appdata"
regsvr32 and scrobj.dll ProcessCmd ContainsCIS "regsvr32" AND
Nslookup ProcessCmd ContainsCIS "nslookup" register-unregister dll ProcessCmd ContainsCIS "scrobj.dll"
www.SentinelOne.com | Sales@SentinelOne.com
+1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043