Closed Purp1eW0lf closed 2 years ago
A banger as always. Adding this right now!
Added in 3129886189ddb84dc4e829d97e82bff8832d1a30
Thanks to @adamcysec for this fantastic enrichment! https://github.com/adamcysec/SentinelOne-PowerSploit-Indicators
This post just saved us from a VERY long night and alerting many clients, falsely, about a possible compromise. Thank you.
you love to see it
Buckle up for the explanation behind this one
The specific SentinelOne PowerShell we're talking about contains the strings
sentinelbreakpoints
that recurs throughout. It can be found in the PowerShell operational evtx, under event id 4104Contained within this script will be the following variations of base64
Decoded these reference Matt Graeber's AMSI bypass technique, and include the AMSI bypass tactic of character/byte substitution.
Once these have been decoded, they're harmless methods to query AMSI related information.
Specifically, this encoded section uses AMSI bypass encoding to check if AMSI has been bypassed itself (amsiinitFailed = false means bypassed).
Returning back to the wider SentinelOne script, after the base64 strings it then assigns the AMSI queries as a variable, and does various if/then/else stuff with the answer if AMSI had been bypassed or not.
And then we see it query strings to do with known malicious PowerShell tools, mainly starting with
Invoke-
In conclusion, it is WILD that all of this is NOT malicious and is completely legitimate SentinelOne activity. Lord have mercy.