SentinelOne Threat Hunting Series P1: Must-Have Custom Detection Rules

In this three-part series, we’ll explore custom rules for enhanced threat detection and hunting in SentinelOne.

These rules leverage STAR (SentinelOne Threat Analysis Rules) to proactively identify malicious activities and enhance security posture.

Part 1: Top 10 Must-Have Rules for Threat Hunting

1. Delete Shadow Volume Copies

Purpose: Detects attempts to delete shadow copies, a common tactic used by ransomware operators to prevent file recovery.

Rule:

tgt.process.cmdline matches("vssadmin\\.exe Delete Shadows","vssadmin\\.exe delete Shadows /All /Quiet")

2. Suspect Volume Shadow Copy Behavior Detected

Purpose: Identifies attempts to access sensitive files from shadow copies.

Rule:

tgt.process.cmdline contains:anycase("HarddiskVolumeShadowCopy") AND (

tgt.process.cmdline contains:anycase("ntds\\ntds.dit") OR 

tgt.process.cmdline contains:anycase("system32\\config\\sam") OR 

tgt.process.cmdline contains:anycase("system32\\config\\system")) AND !(

src.process.name == "windows\\system32\\esentutl.exe" OR 

src.process.publisher in:matchcase("Veritas Technologies LLC", "Symantec Corporation"))

3. Impact - Shadow Copy Delete Via WMI/CIM Detected

Purpose: Flags deletion of shadow copies using WMI or CIM commands.

Rule:

tgt.process.cmdline contains:anycase("win32_shadowcopy") AND (

tgt.process.cmdline contains:anycase("Get-WmiObject") OR 

tgt.process.cmdline contains:anycase("Get-CimInstance") OR 

tgt.process.cmdline contains:anycase("gwmi") OR 

tgt.process.cmdline contains:anycase("gcim")) AND (

tgt.process.cmdline contains:anycase("Delete") OR 

tgt.process.cmdline contains:anycase("Remove"))

4. Suspect Symlink to Volume Shadow Copy Detected

Purpose: Detects creation of symlinks to shadow copies for unauthorized access.

Rule:

tgt.process.cmdline contains:anycase("mklink") AND 

tgt.process.cmdline contains:anycase("HarddiskVolumeShadowCopy")

5. Disable/Delete Microsoft Defender AV Using PowerShell

Purpose: Monitors attempts to disable Microsoft Defender via PowerShell commands.

Rule:

tgt.process.cmdline contains:anycase("powershell Set-MpPreference -DisableRealtimeMonitoring $true") OR 

tgt.process.cmdline contains:anycase("sc stop WinDefend") OR 

tgt.process.cmdline contains:anycase("sc delete WinDefend")

6. Disable Windows Defender

Purpose: Detects various attempts to disable Microsoft Defender features.

Rule:

tgt.process.cmdline contains:anycase("Set-MpPreference") AND (

tgt.process.cmdline contains:anycase("-DisableArchiveScanning") OR 

tgt.process.cmdline contains:anycase("-DisableAutoExclusions") OR 

tgt.process.cmdline contains:anycase("-DisableBehaviorMonitoring") OR 

tgt.process.cmdline contains:anycase("-DisableBlockAtFirstSeen") OR 

tgt.process.cmdline contains:anycase("-DisableCatchupFullScan") OR 

tgt.process.cmdline contains:anycase("-DisableCatchupQuickScan") OR 

tgt.process.cmdline contains:anycase("-DisableEmailScanning") OR 

tgt.process.cmdline contains:anycase("-DisableRealtimeMonitoring"))

7. Disable Windows Defender Via Registry Key

Purpose: Flags registry key changes disabling Defender.

Rule:

tgt.process.cmdline contains:anycase("reg\\ add") AND 

tgt.process.cmdline contains:anycase("\\SOFTWARE\\Policies\\Microsoft\\Windows Defender") AND (

tgt.process.cmdline contains:anycase("DisableAntiSpyware") OR 

tgt.process.cmdline contains:anycase("DisableAntiVirus"))

8. Disable Windows Defender Signature Updates

Purpose: Detects attempts to disable Defender signature updates.

Rule:

tgt.process.cmdline contains:anycase("Remove-MpPreference") OR 

tgt.process.cmdline contains:anycase("set-mppreference") AND (

tgt.process.cmdline contains:anycase("HighThreatDefaultAction") OR 

tgt.process.cmdline contains:anycase("SevereThreatDefaultAction"))

9. SVCHOST Spawned by Unsigned Process

Purpose: Flags instances of svchost.exe being launched by unsigned processes.

Rule:

src.process.publisher == "Unsigned" AND 

tgt.process.name == "svchost.exe"

10. Mimikatz via PowerShell

Purpose: Detects the execution of Mimikatz scripts or commands using PowerShell.

Rule:

src.process.parent.cmdline contains:anycase("Invoke-Mimikatz.ps1", "Invoke-Mimikatz") AND 

tgt.process.name == "powershell.exe"

Closing Note

Stay tuned for more custom threat-hunting rules and best practices in the next articles of this series! If you have specific rule requirements or ideas, feel free to reach out through the Contact Us section.

Dean