SECURITY ANALYST CHEATSHEET QUERY SYNTAX QUERY SYNTAX HOST/AGENT INFO PROCESS TREE Hostname AgentName Process ID PID OS AgentOS PID of the parent process ParentPID Version of Agent AgentVersion Parent Process ParentProcessName Domain name DNSRequest Time parent process started to run ParentProcessStartTime Site ID SiteId Unique ID of parent process ParentProcessUniqueKey Site name SiteName Process command line ProcessCmd Account ID AccountId Display name of process ProcessDisplayName Account Name AccountName Generated ID of the group of processes, from first parent to last ProcessGroupId FILE/REGISTRY INTEGRITY generation (SentinelOne Patent) File ID FileID Pathname of running process ProcessImagePath File Name FileFullName SHA1 signature of running process ProcessImageSha1Hash Date and time of file creation FileCreatedAt String: SYSTEM (operating system MD5 FileMD5 processes), HIGH (administrators), Date and time of file change FileModifyAt MEDIUM (non-administrators), ProcessIntegrityLevel LOW (temporary Internet files), SHA1 signature FileSHA1 UNTRUSTED SHA256 signature FileSHA256 Process Name ProcessName SHA1 of file before it was changed OldFileSHA1 ID of the terminal session of a ProcessSessionId Name of file before rename OldFileName process Identity of file signer Publisher Process start time ProcessStartTime Signature Status Signed Status String: SYS_WIN32, SYS_WSL, ProcessSubSystem Verification Status Verified status SUBSYSTEM_UNKNOWN Why not verified Why not verified Unique ID of process ProcessUniqueKey Registry Key Unique ID RegistryID PID after relinked Rpid Full path location of the RegistryPath Registry Key entry Thread ID Tid ID of all objects associated TrueContext with a detection NETWORK DATA String: GET, POST, PUT, DELETE NetworkMethod Username User URL NetworkUrl DNS response data DNSResponse SCHEDULED TASKS IP address of the destination DstIP Name of a scheduled task TaskName Full path location of a Port number of destination DstPort TaskPath scheduled task IP address of traffic source SrcIP The file who has been executed executable file Port number of traffic source SrcPort Browser type Source www.SentinelOne.com | [email protected] | +1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043 HUNTING QUERIES QUERY SYNTAX QUERY SYNTAX Clear Windows Event Logs Net User Add User ProcessCmd RegExp "net\s+user(?:(?!\s+/add) ProcessCmd ContainsCIS "wevtutil cl system" (?:.|\n))*\s+/add" Powershell or Wevtutil OR ProcessCmd ContainsCIS "Clear-EventLog" processCmd = "REG ADD HKLM\SYSTEM\ netsh disable firewall ProcessCmd ContainsCIS "netsh firewall" Enable SMBv1 CurrentControlSet\Services\LanmanServer\ AND ProcessCmd ContainsCIS "disable" Parameters /v SMB1 /t REG_DWORD /d 1 /f" Query logged in Users ProcessCmd ContainsCIS "quser" Unusual Schedule ProcessCmd ContainsCIS "schtasks" AND Task Created processName != "Manages scheduled tasks" Qwinsta - Display information Terminal ProcessCmd ContainsCIS "qwinsta" Powershell with Net DstIP Is Not Empty AND ProcessName Sessions connections ContainsCIS "powershell" Current Running Processes ProcessCmd ContainsCIS "tasklist" (ProcessName ContainsCIS "windows command Net User - Query a User ProcessCmd ContainsCIS "net user" Shell Process Creating File processor" OR ProcessName ContainsCIS "powershell") AND FileModifyAt > "Mar 26, 2017 00:00:39" Query Network Shares ProcessCmd ContainsCIS "net share" Query Account & (ProcessName ContainsCIS "windows command ProcessCmd ContainsCIS "net accounts" processor" OR ProcessName ContainsCIS Password Policy Shell Process Modify or File "powershell") AND (FileModifyAt > "Mar 26, Net Config - Query 2017 00:00:10" OR FileCreatedAt > "Mar 26, ProcessCmd ContainsCIS "net config 2017 00:00:31") Workstation Current Settings workstation" Registry Alteration via ProcessCmd RegExp "reg\s+add" OR ProcessCmd Query AD ProcessCmd ContainsCIS "dsquery" Command line RegExp "reg\s+del" WMIC user account list ProcessCmd ContainsCIS "wmic useraccount get" processImagePath = "C:\Windows\System32\ OR ProcessCmd RegExp "wmic useraccount list" svchost.exe" AND User != "NT AUTHORITY\ WMIC NT Domain svchost.exe running in a ProcessCmd ContainsCIS "wmic ntdomain" SYSTEM" AND User != "NT AUTHORITY\LOCAL Object Query unusual user context SERVICE" AND User != "NT AUTHORITY\NETWORK SERVICE" WMIC Group List on ProcessCmd ContainsCIS "wmic group list" Local System Powershell runnning as ProcessName ContainsCIS "powershell" AND User system user ContainsCIS "SYSTEM" WMIC List built in ProcessCmd ContainsCIS "wmic System Accounts sysaccount list" Powershell Scheduled ParentProcessName = "Windows PowerShell" AND ProcessName = "Task Scheduler Configuration Tasks Created Reg Query - last 10 files ProcessCmd ContainsCIS "RecentDocs" AND Tool" accessed or executed ProcessCmd ContainsCIS "REG QUERY" AND by explorer ProcessCmd ContainsCIS "explorer" Executable Created FileCreatedAt > "Apr 2, 2017 00:00:03" AND ProcessName ContainsCIS ".exe" Reg Query - RunOnce ProcessCmd ContainsCIS "Runonce" AND ProcessName ContainsCIS "Host Process for ProcessCmd ContainsCIS "REG QUERY" Suspicious Parent Windows Services" AND ParentProcessName != "Host Process for Windows Services" AND Reg Query - Check Patterns ProcessCmd ContainsCIS "Reg Query" Process svchost.exe AND ProcessCmd ContainsCIS "Disk" AND ParentProcessName != "Services and Controller for Virtual Machines app" ProcessCmd ContainsCIS "Enum" Query Group Policy ParentProcessName = "Insert Vulnerable ProcessCmd ContainsCIS "gpresult" RSOP Data Vulnerable App Application name from Applications Tab" AND (ProcessName ContainsCIS "Windows Command System Info - windows ProcessCmd ContainsCIS "systeminfo" launching shell Processor" OR ProcessName ContainsCIS "Powershell") ProcessCmd ContainsCIS "systeminfo" OR ProcessCmd RegExp "ver >" OR ProcessCmd Excel Running Shell ParentProcessName ContainsCIS "excel" AND System Info and RegExp "type\s+%APPDATA%" OR ProcessCmd (ProcessName ContainsCIS "sh" OR ProcessName or Python Network data gathering RegExp "ipconfig" OR ProcessCmd RegExp "net\ ContainsCIS "python") s+view" OR ProcessCmd RegExp "arp -a" OR Whoami ProcessCmd ContainsCIS "whoami" ProcessCmd RegExp "netstat" WMIC Process Get - Process Powershell Get processCmd RegExp "powershell\.exe\s+echo\ ProcessCmd RegExp "wmic\s+process\s+get" Clipboard Entry s+Get\-Process\s+\|\s+clip" data and sub commands WMIC qfe - Gather Powershell Get processCmd ContainsCIS "powershell.exe echo ProcessCmd ContainsCIS "wmic qfe" Running Processes Get-Process" Windows Patch Data Powershell Search processCmd ContainsCIS "powershell Get- ProcessName ContainsCIS "powershell" for Doc Files ChildItem -Recurse -Include *.doc" AND (ProcessCmd ContainsCIS "Invoke- Powershell suspicious Expression" OR ProcessCmd ContainsCIS Find string processCmd ContainsCIS "findstr" "-encodedcommand" OR ProcessCmd ContainsCIS commands "hidden" OR ProcessCmd ContainsCIS "write- Windows 10 Get ProcessCmd ContainsCIS "wmic nic" host" OR ProcessCmd ContainsCIS "Get- Network Adaptor Details NetIPConfiguration") Execute File in processCmd ContainsCIS "/FILE" AND ProcessCmd echo command ProcessCmd ContainsCIS "echo" Appdata folder ContainsCIS "Appdata" regsvr32 and scrobj.dll ProcessCmd ContainsCIS "regsvr32" AND Nslookup ProcessCmd ContainsCIS "nslookup" register-unregister dll ProcessCmd ContainsCIS "scrobj.dll" Net User Delete User ProcessCmd RegExp "net\s+user(?:(?!\s+/ regsvr32 suspicious processName = "Microsoft(C) Register Server" delete)(?:.|\n))*\s+/delete" downloads AND DstIP Is Not Empty Net User Domain ProcessCmd RegExp "net\s+user(?:(?!\s+/ regsvr32 suspicious processName = "Microsoft(C) Register Server" domain)(?:.|\n))*\s+/domain" file modification AND FileModifyAt > "Mar 1, 2019 00:00:45" Add user to AD ProcessCmd ContainsCIS "dsadd user" ProcessCmd ContainsCIS "regsvr32" AND (RegistryPath ContainsCIS "machine\software\ Powershell add local user ProcessCmd ContainsCIS "powershell.exe regsvr32 Persistence New-LocalUser" classes" OR ProcessCmd ContainsCIS "schtasks\ s+/create") Powershell upload or ProcessCmd ContainsCIS "(New-Object Net. download methods Webclient)" ProcessCmd ContainsCIS "bitsadmin" AND Bitsadmin suspicious (ProcessCmd ContainsCIS "transfer" OR ProcessCmd ContainsCIS "download" OR Suspicious - List all ProcessCmd ContainsCIS "setspn" AND commands ProcessCmd RegExp "-t" AND ProcessCmd RegExp ProcessCmd ContainsCIS ".ps1" OR ProcessCmd SPNs in a Domain "-q */*" ContainsCIS "powershell") ProcessCmd ContainsCIS "reg add" AND list vssadmin shadows ProcessCmd ContainsCIS "vssadmin.exe list shadows" Registry Persistence (ProcessCmd ContainsCIS "Run" OR ProcessCmd ContainsCIS "Null") Add user or Query local ProcessCmd ContainsCIS "net localgroup admin group administrators" Copy commands ProcessCmd ContainsCIS "copy" OR ProcessCmd ContainsCIS "xcopy" Change firewall ProcessCmd ContainsCIS "netsh advfirewall" profile settings www.SentinelOne.com | [email protected] +1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043.