Scribd
Upload
71 views2 pages

Sentinel One DV Chea 1

sentinel one cheet sheet

Uploaded by

kkrsirigiri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
71 views2 pages

Sentinel One DV Chea 1

sentinel one cheet sheet

Uploaded by

kkrsirigiri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

S1QL CHEATSHEET FOR SECURITY ANALYSIS

QUERY SYNTAX QUERY SYNTAX


HOST/AGENT INFO PROCESS TREE
Hostname AgentName Process ID PID
OS AgentOS PID of the parent process ParentPID

Version of Agent AgentVersion Parent Process ParentProcessName

Domain name DNSRequest Time parent process started to run ParentProcessStartTime

Site ID SiteId Unique ID of parent process ParentProcessUniqueKey


Process command line ProcessCmd
Site name SiteName
Display name of process ProcessDisplayName
Account ID AccountId
Generated ID of the group of processes, from first
Account Name AccountName ProcessGroupId
parent to last generation (SentinelOne Patent)
Pathname of running process ProcessImagePath
FILE/REGISTRY INTEGRITY SHA1 signature of running process ProcessImageSha1Hash
File ID FileID String: SYSTEM (operating system processes), HIGH
File Name FileFullName (administrators), MEDIUM (non-administrators), LOW ProcessIntegrityLevel
(temporary Internet files), UNTRUSTED
Date and time of file creation FileCreatedAt
Process Name ProcessName
MD5 FileMD5
ID of the terminal session of a process ProcessSessionId
Date and time of file change FileModifyAt
Process start time ProcessStartTime
SHA1 signature FileSHA1
String: SYS_WIN32, SYS_WSL, SUBSYSTEM_UNKNOWN ProcessSubSystem
SHA256 signature FileSHA256
Unique ID of process ProcessUniqueKey
SHA1 of file before it was changed OldFileSHA1
PID after relinked Rpid
Name of file before rename OldFileName Thread ID Tid
Identity of file signer Publisher ID of all objects associated with a detection TrueContext
Signature Status Signed Status Username User
Verification Status Verified status
Why not verified Why not verified NETWORK DATA
Registry Key Unique ID RegistryID String: GET, POST, PUT, DELETE NetworkMethod
Full path location of the Registry Key entry RegistryPath URL NetworkUrl
DNS response data DNSResponse
SCHEDULED TASKS IP address of the destination DstIP

Name of a scheduled task TaskName Port number of destination DstPort

Full path location of a scheduled task TaskPath IP address of traffic source SrcIP

The file who has been executed executable file Port number of traffic source SrcPort
Browser type Source

www.SentinelOne.com | Sales@SentinelOne.com | +1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043


HUNTING QUERIES
QUERY SYNTAX QUERY SYNTAX QUERY SYNTAX
ProcessCmd RegExp "net\s+user(?:(?!\ Find string processCmd ContainsCIS "findstr" WMIC Group List on ProcessCmd ContainsCIS "wmic group
Net User Add User
s+/add)(?:.|\n))*\s+/add" Local System list"
Windows 10 Get
processCmd = "REG ADD HKLM\SYSTEM\ Network Adaptor ProcessCmd ContainsCIS "wmic nic" WMIC List built in ProcessCmd ContainsCIS "wmic
CurrentControlSet\Services\ Details System Accounts sysaccount list"
Enable SMBv1
LanmanServer\Parameters /v SMB1 /t
REG_DWORD /d 1 /f" Execute File in processCmd ContainsCIS "/FILE" AND Reg Query - last 10 ProcessCmd ContainsCIS "RecentDocs"
Appdata folder ProcessCmd ContainsCIS "Appdata" files accessed or AND ProcessCmd ContainsCIS "REG QUERY"
ProcessCmd ContainsCIS "schtasks" AND executed by explorer AND ProcessCmd ContainsCIS "explorer"
Unusual Schedule Nslookup ProcessCmd ContainsCIS "nslookup"
processName != "Manages scheduled
Task Created tasks" ProcessCmd ContainsCIS "Runonce" AND
ProcessCmd RegExp "net\s+user(?:(?!\ Reg Query - RunOnce
Net User Delete User ProcessCmd ContainsCIS "REG QUERY"
Powershell with Net DstIP Is Not Empty AND ProcessName s+/delete)(?:.|\n))*\s+/delete"
connections ContainsCIS "powershell" Reg Query - Check ProcessCmd ContainsCIS "Reg Query"
ProcessCmd RegExp "net\s+user(?:(?!\
Net User Domain Patterns for Virtual AND ProcessCmd ContainsCIS "Disk" AND
(ProcessName ContainsCIS "windows s+/domain)(?:.|\n))*\s+/domain"
Machines ProcessCmd ContainsCIS "Enum"
Shell Process command processor" OR ProcessName
Add user to AD ProcessCmd ContainsCIS "dsadd user"
Creating File ContainsCIS "powershell") AND Query Group Policy
FileModifyAt > "Mar 26, 2017 00:00:39" ProcessCmd ContainsCIS "gpresult"
Powershell add ProcessCmd ContainsCIS "powershell. RSOP Data
(ProcessName ContainsCIS "windows local user exe New-LocalUser"
System Info - windows ProcessCmd ContainsCIS "systeminfo"
command processor" OR ProcessName Powershell upload or ProcessCmd ContainsCIS "(New-Object
Shell Process ContainsCIS "powershell") AND ProcessCmd ContainsCIS "systeminfo"
download methods Net.Webclient)"
Modify or File (FileModifyAt > "Mar 26, 2017 OR ProcessCmd RegExp "ver >" OR
00:00:10" OR FileCreatedAt > "Mar 26, ProcessCmd ContainsCIS "setspn" AND System Info and ProcessCmd RegExp "type\s+%APPDATA%"
Suspicious - List all Network data OR ProcessCmd RegExp "ipconfig" OR
2017 00:00:31") ProcessCmd RegExp "-t" AND ProcessCmd
SPNs in a Domain RegExp "-q */*" gathering ProcessCmd RegExp "net\s+view"
Registry Alteration via ProcessCmd RegExp "reg\s+add" OR OR ProcessCmd RegExp "arp -a" OR
Command line ProcessCmd RegExp "reg\s+del" ProcessCmd ContainsCIS "vssadmin.exe ProcessCmd RegExp "netstat"
list vssadmin shadows
list shadows"
processImagePath = "C:\Windows\ WMIC Process Get -
System32\svchost.exe" AND User != "NT Add user or Query ProcessCmd ContainsCIS "net localgroup ProcessCmd RegExp "wmic\s+process\
svchost.exe running in Process data and sub
AUTHORITY\SYSTEM" AND User != "NT local admin group administrators" s+get"
a unusual user context commands
AUTHORITY\LOCAL SERVICE" AND User !=
"NT AUTHORITY\NETWORK SERVICE" Change firewall ProcessCmd ContainsCIS "netsh WMIC qfe - Gather
profile settings advfirewall" ProcessCmd ContainsCIS "wmic qfe"
Windows Patch Data
Powershell runnning ProcessName ContainsCIS "powershell"
as system user AND User ContainsCIS "SYSTEM" Clear Windows Event ProcessCmd ContainsCIS "wevtutil cl ProcessName ContainsCIS "powershell"
Logs Powershell or system" OR ProcessCmd ContainsCIS AND (ProcessCmd ContainsCIS "Invoke-
ParentProcessName = "Windows Wevtutil "Clear-EventLog" Expression" OR ProcessCmd ContainsCIS
Powershell Scheduled Powershell suspicious
PowerShell" AND ProcessName = "Task "-encodedcommand" OR ProcessCmd
Tasks Created Scheduler Configuration Tool" ProcessCmd ContainsCIS "netsh firewall" commands
netsh disable firewall ContainsCIS "hidden" OR ProcessCmd
AND ProcessCmd ContainsCIS "disable"
FileCreatedAt > "Apr 2, 2017 00:00:03" ContainsCIS "write-host" OR ProcessCmd
Executable Created Query logged in Users ProcessCmd ContainsCIS "quser" ContainsCIS "Get-NetIPConfiguration")
AND ProcessName ContainsCIS ".exe"
ProcessName ContainsCIS "Host Qwinsta - Display echo command ProcessCmd ContainsCIS "echo"
Process for Windows Services" information Terminal ProcessCmd ContainsCIS "qwinsta" regsvr32 and scrobj.dll ProcessCmd ContainsCIS "regsvr32" AND
Suspicious Parent AND ParentProcessName != "Host Sessions register-unregister dll ProcessCmd ContainsCIS "scrobj.dll"
Process svchost.exe Process for Windows Services" AND
ParentProcessName != "Services and Current Running regsvr32 suspicious processName = "Microsoft(C) Register
ProcessCmd ContainsCIS "tasklist"
Controller app" Processes downloads Server" AND DstIP Is Not Empty
ParentProcessName = "Insert Vulnerable Net User - Query processName = "Microsoft(C) Register
ProcessCmd ContainsCIS "net user" regsvr32 suspicious
Application name from Applications a User Server" AND FileModifyAt > "Mar 1,
Vulnerable App file modification
Tab" AND (ProcessName ContainsCIS Query Network Shares ProcessCmd ContainsCIS "net share" 2019 00:00:45"
launching shell "Windows Command Processor" OR
ProcessName ContainsCIS "Powershell") Query Account & ProcessCmd ContainsCIS "regsvr32" AND
ProcessCmd ContainsCIS "net accounts" (RegistryPath ContainsCIS "machine\
ParentProcessName ContainsCIS "excel" Password Policy regsvr32 Persistence
Excel Running Shell software\classes" OR ProcessCmd
AND (ProcessName ContainsCIS "sh" OR Net Config - Query ContainsCIS "schtasks\s+/create")
or Python ProcessName ContainsCIS "python") ProcessCmd ContainsCIS "net config
Workstation Current ProcessCmd ContainsCIS "bitsadmin" AND
workstation"
Whoami ProcessCmd ContainsCIS "whoami" Settings (ProcessCmd ContainsCIS "transfer"
Bitsadmin suspicious
Query AD ProcessCmd ContainsCIS "dsquery" OR ProcessCmd ContainsCIS "download"
Powershell Get processCmd RegExp "powershell\.exe\ commands OR ProcessCmd ContainsCIS ".ps1" OR
Clipboard Entry s+echo\s+Get\-Process\s+\|\s+clip" ProcessCmd ContainsCIS "wmic ProcessCmd ContainsCIS "powershell")
WMIC user
Powershell Get processCmd ContainsCIS "powershell. useraccount get" OR ProcessCmd RegExp
account list "wmic useraccount list" ProcessCmd ContainsCIS "reg add" AND
Running Processes exe echo Get-Process" Registry Persistence (ProcessCmd ContainsCIS "Run" OR
WMIC NT Domain ProcessCmd ContainsCIS "Null")
Powershell Search processCmd ContainsCIS "powershell ProcessCmd ContainsCIS "wmic ntdomain"
Object Query
for Doc Files Get-ChildItem -Recurse -Include *.doc" ProcessCmd ContainsCIS "copy" OR
Copy commands
ProcessCmd ContainsCIS "xcopy"

www.SentinelOne.com | Sales@SentinelOne.com | +1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043

You might also like