[New WTFBin]: SentinelOne

[Purp1eW0lf]

• Contributor Name: Dray Agha @ purp1ew0lf
• Application/Executable: SentinelOne
• WTF Behavior Description: A legitimate PowerShell script associated with SentinelOne includes encoded PowerShell, AMSI bypass encoding, as well as strings for offensive security commands such as 'Invoke-Mimikatz'. If running another security solution - like Defender - it may flag this SentinelOne legitimate PowerShell activity as malicious.
• Link to Documentation of Behavior: Explanation below. Forgive me for copy and pasting the strings, but I want defenders to be able to google and find this wtfbin
• Please provide any images for additional evidence.

Buckle up for the explanation behind this one

The specific SentinelOne PowerShell we're talking about contains the strings sentinelbreakpoints that recurs throughout. It can be found in the PowerShell operational evtx, under event id 4104

Contained within this script will be the following variations of base64

IwBNAGEAdAB0ACAARwByAGEAZQBiAGUAcgBzACAAUgBlAGYAbABlAGMAdABpAG8AbgAgAG0AZQB0AGgAbwBkACAACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAIgAkACgAWwBDAEgAQQByAF0AKAA4ADMAKQArAFsAQwBoAGEAUgBdACgAWwBCAFkAdABlAF0AMAB4ADcAOQApACsAWwBDAEgAQQByAF0AKABbAGIAWQBUAEUAXQAwAHgANwAzACkAKwBbAEMAaABBAHIAXQAoADEAMQA2ACsANQA5AC0ANQA5ACkAKwBbAEMASABhAFIAXQAoAFsAYgB5AHQAZQBdADAAeAA2ADUAKQArAFsAYwBoAGEAUgBdACgAWwBiAFkAVABFAF0AMAB4ADYAZAApACsAWwBDAEgAQQBSAF0AKAA0ADYAKgAyADkALwAyADkAKQArAFsAYwBoAGEAcgBdACgANwA3ACkAKwBbAEMAaABhAFIAXQAoAFsAQgBZAFQAZQBdADAAeAA2ADEAKQArAFsAYwBIAEEAUgBdACgANQA0ACsANQA2ACkAKwBbAGMASABhAFIAXQAoADgANAArADEAMwApACsAWwBDAGgAYQBSAF0AKABbAGIAWQBUAGUAXQAwAHgANgA3ACkAKwBbAEMAaABBAHIAXQAoAFsAYgB5AHQARQBdADAAeAA2ADUAKQArAFsAYwBoAEEAcgBdACgAWwBiAFkAVABFAF0AMAB4ADYAZAApACsAWwBjAEgAYQByAF0AKABbAGIAeQBUAEUAXQAwAHgANgA1ACkAKwBbAGMASABhAHIAXQAoAFsAQgB5AHQARQBdADAAeAA2AGUAKQArAFsAYwBoAGEAUgBdACgAWwBCAHkAVABlAF0AMAB4ADcANAApACkALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AJAAoACcAwgBtAHMA7gBVAHQA7ABsAHMAJwAuAE4AbwByAG0AQQBsAEkAWgBlACgAWwBDAEgAQQByAF0AKAA3ADAAKQArAFsAQwBIAGEAUgBdACgAMQAxADEAKwAzADcALQAzADcAKQArAFsAQwBoAEEAUgBdACgAWwBiAHkAVABFAF0AMAB4ADcAMgApACsAWwBjAGgAYQBSAF0AKAAxADAAOQApACsAWwBDAEgAQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANAA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAQwBIAGEAUgBdACgAOAAzACsAOQApACsAWwBjAGgAQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANwAwACkAKwBbAGMASABBAFIAXQAoADEAMgAzACkAKwBbAGMAaABBAFIAXQAoADcANwApACsAWwBDAEgAYQByAF0AKAAzADkAKwA3ADEAKQArAFsAQwBIAGEAUgBdACgAWwBiAFkAVABlAF0AMAB4ADcAZAApACkAIgApAC4ARwBlAHQARgBpAGUAbABkACgAJAAoAFsAYwBoAGEAcgBdACgAOQA3ACoANwA3AC8ANwA3ACkAKwBbAEMASABBAFIAXQAoADEAMAA5ACsAMQAwADAALQAxADAAMAApACsAWwBDAGgAYQByAF0AKAAxADEANQApACsAWwBjAEgAQQBSAF0AKABbAEIAWQBUAEUAXQAwAHgANgA5ACkAKwBbAGMASABhAHIAXQAoAFsAYgB5AHQARQBdADAAeAA0ADkAKQArAFsAYwBIAEEAUgBdACgAWwBiAFkAdABlAF0AMAB4ADYAZQApACsAWwBDAEgAQQByAF0AKAAxADAANQArADEANwAtADEANwApACsAWwBDAGgAQQBSAF0AKABbAGIAeQB0AEUAXQAwAHgANwA0ACkAKwBbAGMASABhAFIAXQAoAFsAQgB5AFQAZQBdADAAeAA0ADYAKQArAFsAYwBIAEEAcgBdACgAWwBiAHkAVABlAF0AMAB4ADYAMQApACsAWwBDAEgAQQByAF0AKAAxADAANQApACsAWwBDAEgAQQByAF0AKABbAEIAeQBUAGUAXQAwAHgANgBjACkAKwBbAGMASABBAHIAXQAoAFsAQgB5AHQAZQBdADAAeAA2ADUAKQArAFsAQwBIAGEAUgBdACgAWwBiAFkAVABlAF0AMAB4ADYANAApACkALAAiAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAIgApAC4ARwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACkAOwA=

## And

IwBNAGEAdAB0ACAARwByAGEAZQBiAGUAcgBzACAAcwBlAGMAbwBuAGQAIABSAGUAZgBsAGUAYwB0AGkAbwBuACAAbQBlAHQAaABvAGQAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAiACQAKABbAGMAaABhAFIAXQAoAFsAYgB5AHQARQBdADAAeAA1ADMAKQArAFsAYwBIAGEAcgBdACgAWwBiAHkAdABFAF0AMAB4ADcAOQApACsAWwBjAEgAQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANwAzACkAKwBbAGMASABhAHIAXQAoAFsAYgBZAHQARQBdADAAeAA3ADQAKQArAFsAYwBoAGEAcgBdACgAWwBiAHkAVABlAF0AMAB4ADYANQApACsAWwBjAGgAYQBSAF0AKAAxADAAOQArADEAMAAtADEAMAApACsAWwBjAGgAQQBSAF0AKAA0ADYAKgAyADYALwAyADYAKQArAFsAYwBoAGEAcgBdACgAWwBCAFkAdABFAF0AMAB4ADQAZAApACsAWwBjAGgAYQByAF0AKABbAEIAWQB0AEUAXQAwAHgANgAxACkAKwBbAEMASABBAHIAXQAoADkAMwArADEANwApACsAWwBDAGgAQQByAF0AKAA5ADcAKQArAFsAYwBoAGEAcgBdACgAWwBCAFkAVABlAF0AMAB4ADYANwApACsAWwBjAGgAYQByAF0AKAA4ADUAKwAxADYAKQArAFsAQwBIAEEAcgBdACgAWwBiAHkAVABlAF0AMAB4ADYAZAApACsAWwBjAEgAYQBSAF0AKABbAGIAeQB0AEUAXQAwAHgANgA1ACkAKwBbAEMASABhAFIAXQAoAFsAYgBZAHQAZQBdADAAeAA2AGUAKQArAFsAQwBoAEEAUgBdACgAMwA2ACsAOAAwACkAKQAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgAkACgAWwBDAGgAQQBSAF0AKABbAGIAWQBUAEUAXQAwAHgANAAxACkAKwBbAEMASABBAFIAXQAoAFsAYgB5AHQARQBdADAAeAA2AGQAKQArAFsAQwBoAEEAUgBdACgAMQAxADUAKQArAFsAYwBoAGEAcgBdACgANQA1ACsANQAwACkAKwBbAEMAaABBAHIAXQAoAFsAQgBZAFQAZQBdADAAeAA1ADUAKQArAFsAQwBIAGEAUgBdACgAMQAxADYAKgA3ADUALwA3ADUAKQArAFsAYwBIAGEAUgBdACgAWwBiAHkAdABFAF0AMAB4ADYAOQApACsAWwBDAEgAQQBSAF0AKABbAGIAeQB0AGUAXQAwAHgANgBjACkAKwBbAGMAaABBAFIAXQAoAFsAYgB5AFQARQBdADAAeAA3ADMAKQApACIAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAYwBIAGEAcgBdACgAOQA3ACsANgAyAC0ANgAyACkAKwBbAEMASABhAHIAXQAoADEANgArADkAMwApACsAWwBDAGgAQQBSAF0AKABbAEIAeQB0AEUAXQAwAHgANwAzACkAKwBbAGMASABhAFIAXQAoAFsAYgB5AFQAZQBdADAAeAA2ADkAKQArAFsAYwBoAGEAUgBdACgAWwBCAHkAdABFAF0AMAB4ADQAMwApACsAWwBDAGgAYQByAF0AKABbAEIAWQB0AEUAXQAwAHgANgBmACkAKwBbAEMAaABBAFIAXQAoAFsAYgB5AHQAZQBdADAAeAA2AGUAKQArAFsAYwBIAGEAUgBdACgAMQAxADYAKQArAFsAYwBIAGEAUgBdACgAMQAyACsAOAA5ACkAKwBbAEMASABBAHIAXQAoADEAMgAwACsAMQAyAC0AMQAyACkAKwBbAGMAaABhAHIAXQAoAFsAQgBZAHQAZQBdADAAeAA3ADQAKQApACIALABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBCAGkAbgBkAGkAbgBnAEYAbABhAGcAcwBdACIATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAiACkALgBHAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwAKQA7AA==

Decoded these reference Matt Graeber's AMSI bypass technique, and include the AMSI bypass tactic of character/byte substitution.

#Matt Graebers Reflection method 
[Ref].Assembly.GetType("$([CHAr](83)+[ChaR]([BYte]0x79)+[CHAr]([bYTE]0x73)+[ChAr](116+59-59)+[CHaR]([byte]0x65)+[chaR]([bYTE]0x6d)+[CHAR](46*29/29)+[char](77)+[ChaR]([BYTe]0x61)+[cHAR](54+56)+[cHaR](84+13)+[ChaR]([bYTe]0x67)+[ChAr]([bytE]0x65)+[chAr]([bYTE]0x6d)+[cHar]([byTE]0x65)+[cHar]([BytE]0x6e)+[chaR]([ByTe]0x74)).Automation.$('ÂmsîUtìls'.NormAlIZe([CHAr](70)+[CHaR](111+37-37)+[ChAR]([byTE]0x72)+[chaR](109)+[CHAr]([BytE]0x44)) -replace [CHaR](83+9)+[chAr]([BytE]0x70)+[cHAR](123)+[chAR](77)+[CHar](39+71)+[CHaR]([bYTe]0x7d))").GetField($([char](97*77/77)+[CHAR](109+100-100)+[Char](115)+[cHAR]([BYTE]0x69)+[cHar]([bytE]0x49)+[cHAR]([bYte]0x6e)+[CHAr](105+17-17)+[ChAR]([bytE]0x74)+[cHaR]([ByTe]0x46)+[cHAr]([byTe]0x61)+[CHAr](105)+[CHAr]([ByTe]0x6c)+[cHAr]([Byte]0x65)+[CHaR]([bYTe]0x64)),"NonPublic,Static").GetValue($null);

## And 

#Matt Graebers second Reflection method 
[Ref].Assembly.GetType("$([chaR]([bytE]0x53)+[cHar]([bytE]0x79)+[cHAr]([BytE]0x73)+[cHar]([bYtE]0x74)+[char]([byTe]0x65)+[chaR](109+10-10)+[chAR](46*26/26)+[char]([BYtE]0x4d)+[char]([BYtE]0x61)+[CHAr](93+17)+[ChAr](97)+[char]([BYTe]0x67)+[char](85+16)+[CHAr]([byTe]0x6d)+[cHaR]([bytE]0x65)+[CHaR]([bYte]0x6e)+[ChAR](36+80)).Automation.$([ChAR]([bYTE]0x41)+[CHAR]([bytE]0x6d)+[ChAR](115)+[char](55+50)+[ChAr]([BYTe]0x55)+[CHaR](116*75/75)+[cHaR]([bytE]0x69)+[CHAR]([byte]0x6c)+[chAR]([byTE]0x73))").GetField("$([cHar](97+62-62)+[CHar](16+93)+[ChAR]([BytE]0x73)+[cHaR]([byTe]0x69)+[chaR]([BytE]0x43)+[Char]([BYtE]0x6f)+[ChAR]([byte]0x6e)+[cHaR](116)+[cHaR](12+89)+[CHAr](120+12-12)+[char]([BYte]0x74))",[Reflection.BindingFlags]"NonPublic,Static").GetValue($null);

Once these have been decoded, they're harmless methods to query AMSI related information.

# generally this or slight variations of
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").GetValue($null)

Specifically, this encoded section uses AMSI bypass encoding to check if AMSI has been bypassed itself (amsiinitFailed = false means bypassed).

Returning back to the wider SentinelOne script, after the base64 strings it then assigns the AMSI queries as a variable, and does various if/then/else stuff with the answer if AMSI had been bypassed or not.

And then we see it query strings to do with known malicious PowerShell tools, mainly starting with Invoke-

In conclusion, it is WILD that all of this is NOT malicious and is completely legitimate SentinelOne activity. Lord have mercy.

[mttaggart]

A banger as always. Adding this right now!

[mttaggart]

Added in 3129886189ddb84dc4e829d97e82bff8832d1a30

Thanks to @adamcysec for this fantastic enrichment! https://github.com/adamcysec/SentinelOne-PowerSploit-Indicators

[UberGuidoZ]

This post just saved us from a VERY long night and alerting many clients, falsely, about a possible compromise. Thank you.

[HuskyHacks]

you love to see it