search

microsoft / AaronLocker

Robust and practical application control for Windows
MIT License
595 stars 72 forks source link

Create-Policies script triggers SentinelOne for Malware #40

Open mobilemcclintic opened 4 months ago

mobilemcclintic commented 4 months ago

Running Create-Policies.ps1 triggers SentinelOne as malicious. Powershell is terminated and Accesschk.exe is quarantined.

Alert Name: Shadow copy Deletion detected Severity: High Notable Events and MITRE ATT&K ID's (appears to be in reverse order): Deletes shadow copy Impact (T1490) Identified attempt to access a raw volume Discovery (T1082) User logged on Persistence (T1078) X4 Obfuscated PowerShell command executed from an LNK file was detected Defense Evasion (T1027) X3 An obfuscated PowerShell command was detected Defense Evasion (T1027) X3 Powershell execution policy was changed Execution (T1059.001) Process started from shortcut file Execution (T1204) Indirect command was executed Defense Evasion (T1218) X2