Potential SentinelOne Shell Context Menu Scan Command Tampering
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
Sigma rule (View on GitHub)
1title: Potential SentinelOne Shell Context Menu Scan Command Tampering
2id: 6c304b02-06e6-402d-8be4-d5833cdf8198
3status: experimental
4description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
5references:
6 - https://mrd0x.com/sentinelone-persistence-via-menu-context/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2024/03/06
9tags:
10 - attack.persistence
11logsource:
12 category: registry_set
13 product: windows
14detection:
15 selection:
16 TargetObject|contains: '\shell\SentinelOneScan\command\'
17 filter_main_sentinelone_default_scan_binary:
18 Details|startswith:
19 - 'C:\Program Files\SentinelOne\Sentinel Agent'
20 - 'C:\Program Files (x86)\SentinelOne\Sentinel Agent'
21 Details|contains: '\SentinelScanFromContextMenu.exe'
22 filter_main_sentinelone_binary:
23 Image|endswith:
24 - 'C:\Program Files\SentinelOne\'
25 - 'C:\Program Files (x86)\SentinelOne\'
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- AWS ECS Task Definition That Queries The Credential Endpoint
- COLDSTEEL RAT Anonymous User Process Execution
- COLDSTEEL RAT Cleanup Command Execution
- COLDSTEEL RAT Service Persistence Execution
- Mailbox Export to Exchange Webserver