search

adamcysec / SentinelOne-PowerSploit-Indicators

9 stars 2 forks source link

Thanks And Additional Info #1

Open mattcargile opened 2 years ago

mattcargile commented 2 years ago

Very helpful. I was just running through my workstation with Sentinel One. There is surprisingly little information about the pollution Sentinel One is doing to the session. My ZLocation performance tanked as well as general performance. The breakpoint on $PSDefaultParameterValues is probably the worst.

I ran through the Script Block logging on my end and see mostly the same code.

Here is the first call I see running. Note: I did remove much of the encryptedData

try  {
    try {
    $local:oldErrorActionPreference = $global:ErrorActionPreference
    $local:oldProgressPreference = $global:ProgressPreference
    $local:oldWarningPreference = $global:WarningPreference
    $global:ErrorActionPreference = 'SilentlyContinue'
    $global:ProgressPreference = 'SilentlyContinue'
    $global:WarningPreference = 'SilentlyContinue' } catch{}
    if ($env:PSentinel){
    $encryptedData = [byte[]](113,83,84,63,7,27,10,20,17) # this is much longer in real life
    $secret = $env:PSentinel.ToCharArray()
    try{ rm Env:\PSentinel -ErrorAction SilentlyContinue | Out-Null } catch {$env:PSentinel = ''}
    $xordData = $(for ($i = 0; $i -lt $encryptedData.length; $i++) {
            $encryptedData[$i] -bxor $secret[$i % $secret.length] })
    $xordData = $($([char[]]$xordData) -join '')
    $toInvoke = 'try {Remove-Item "variable:toInvoke" -ErrorAction SilentlyContinue | Out-Null} catch {} ; ' + $xordData
    try {rm "variable:xordData" -ErrorAction SilentlyContinue | Out-Null} catch {}
    try {rm "variable:i" -ErrorAction SilentlyContinue | Out-Null} catch {}
    try {Remove-Item "variable:secret" -ErrorAction SilentlyContinue | Out-Null} catch {}
    try {Remove-Item "variable:encryptedData" -ErrorAction SilentlyContinue | Out-Null} catch {}
    invoke-expression  $toInvoke
    } } catch {} finally {
    try {
    $global:ErrorActionPreference = $local:oldErrorActionPreference
    $global:ProgressPreference = $local:oldProgressPreference
    $global:WarningPreference = $local:oldWarningPreference
    rm "variable:local:oldErrorActionPreference" -ErrorAction SilentlyContinue | Out-Null
    rm "variable:local:oldProgressPreference" -ErrorAction SilentlyContinue | Out-Null
    rm "variable:local:oldWarningPreference" -ErrorAction SilentlyContinue | Out-Null
    } catch {}
}

I also found it interesting that VSCode running powershell.exe was unaffected as is pwsh.exe.

Lastly, it appears they got fancy with there PowerSploit indicators array. This section is a pain because it pollutes the global variable namespace on all sessions with variables $item and $local:Po_wer_Spl_oit_Indicators.

$local:Po_wer_Spl_oit_Indicators = (
    ("{0}{5}{4}{2}{3}{1}" -f 'Inv','ion','nje','ct','I','oke-Dll'),
    ("{6}{2}{3}{8}{1}{7}{5}{0}{4}" -f 'o','eP','nvoke-','Reflect','n','ecti','I','EInj','iv'),
    ("{1}{0}{3}{2}"-f'v','In','lcode','oke-Shel'),
    ("{0}{2}{3}{1}" -f'Invoke-','ommand','W','miC'),
    ("{5}{1}{3}{2}{4}{0}" -f 'd','t-E','a','ncodedComm','n','Ou'),
    ("{4}{0}{2}{3}{1}" -f 'ut-C','l','ompre','ssedDl','O'),
    ("{2}{3}{4}{1}{0}" -f't','p','Out-Encrypted','Sc','ri'),
    ("{0}{2}{3}{1}"-f 'Rem','t','ove-Comm','en'),
    ("{0}{3}{7}{6}{2}{4}{5}{1}"-f'New','ion','te','-User','n','ceOpt','is','Pers'),
    ("{3}{2}{5}{1}{0}{4}" -f'eOpt','istenc','w-Elevated','Ne','ion','Pers'),
    ("{2}{3}{0}{1}{4}"-f 'is','te','Ad','d-Pers','nce'),
    ("{0}{3}{2}{1}" -f'Install-','P','S','S'),
    ("{4}{0}{3}{2}{5}{1}" -f 't-S','s','ka','ecurityPac','Ge','ge'),
    ("{3}{2}{1}{0}"-f 'gnature','-AVSi','ind','F'),
    ("{6}{2}{3}{1}{0}{5}{4}"-f 'u','ip','voke-T','okenMan','ion','lat','In'),
    ("{0}{3}{2}{4}{5}{1}" -f'In','n','oke-C','v','re','dentialInjectio'),
    ("{1}{2}{0}{3}{4}" -f'Nin','I','nvoke-','jaCop','y'),
    ("{2}{0}{1}" -f'Mimika','tz','Invoke-'),
    ("{1}{2}{3}{0}" -f'rokes','Get','-Ke','yst'),
    ("{2}{4}{1}{3}{0}"-f'ord','PPP','Get','assw','-G'),
    ("{3}{2}{1}{0}" -f'on','log','GPPAuto','Get-'),
    ("{3}{1}{5}{0}{2}{4}"-f 'cr','d','e','Get-Time','enshot','S'),
    ("{2}{4}{0}{1}{5}{3}"-f'lumeS','had','N','y','ew-Vo','owCop'),
    ("{1}{0}{3}{2}"-f '-VolumeShad','Get','py','owCo'),
    ("{1}{2}{3}{5}{4}{0}"-f 'y','Mount-Vol','umeShad','o','op','wC'),
    ("{2}{3}{4}{1}{0}{5}"-f 'wCop','eShado','Remo','ve-','Volum','y'),
    ("{2}{3}{4}{0}{1}{5}"-f'i','a','Get-VaultC','red','ent','l'),
    ("{1}{3}{2}{0}"-f'p','Out-M','um','inid'),
    ("{4}{1}{2}{0}{3}" -f 'neAudi','et-Mi','cropho','o','G'),
    ("{3}{5}{2}{6}{0}{1}{4}"-f'oot','Rec','te','S','ord','et-Mas','rB'),
    ("{0}{2}{1}{3}"-f 'Set-Crit','calP','i','rocess'),
    ("{2}{0}{1}{3}"-f 'oke','-Po','Inv','rtscan'),
    ("{1}{3}{2}{0}"-f 'ttpStatus','G','H','et-'),
    ("{2}{3}{1}{0}"-f'DnsLookup','-Reverse','Invo','ke'),
    ("{1}{3}{2}{0}" -f'oup','Get-Pro','r','cessTokenG'),
    ("{2}{0}{1}"-f 'et-Syst','em','G'),
    ("{0}{4}{3}{2}{1}" -f'Invok','oast','er','b','e-Ker')
)
foreach ($item in $local:Po_wer_Spl_oit_Indicators) {
        Set-PSBreakpoint -Command $item -Action { <#sentinelbreakpoints#> . {
    $local:PreviousErrCount = $error.count
    try { '' | out-file ':::::\windows\sentinel\8' } catch {}
    while ($PreviousErrCount -ne $error.count) {
        $error.remove($error[0])
    }
    Remove-Variable PreviousErrCount -Scope local -Confirm:$false -WhatIf:$false} } | Out-Null
};
BizaNator commented 1 year ago

I too recently ran into this when pulling winlog powershell events and was being triggered by Elastic Security "PowerShell Keylogging Script" alert. After a lot of investigation it was looking like it was a detection rule, and now we can know for sure it's Sentinel One as it's installed or was installed at least on the endpoint in question. Thanks for helping to confirm

adamcysec commented 7 months ago

Great Info! thanks for contributing.