In this article, we continue exploring the power of SentinelOne’s custom detection rules to enhance control over your environment's security. These rules allow you to define specific conditions for detecting and responding to potential threats, giving you the flexibility to act beyond built-in detections.
11. Mimikatz (Reg Add with Process Name)
Rule:
tgt.process.name == "powershell.exe" AND (registry.keyPath == "SYSTEM\\CurrentControlSet\\Services\\mimidrv" OR tgt.process.cmdline contains:anycase("MISC::AddSid", "LSADUMP::DCShadow", "SEKURLSA::Pth", "CRYPTO::Extract")) AND (file.name in:anycase("vaultcli.dll", "samlib.dll", "kirbi"))Description: Detects malicious registry modifications associated with Mimikatz. The rule identifies suspicious PowerShell activity and DLL manipulations indicative of credential dumping or lateral movement.
12. MimikatzV (Behavior-Based)
Rule:
event.type == "Behavioral Indicators" AND indicator.name in:matchcase("Mimikatz", "PrivateKeysStealAttemptWithMimikatz") OR (event.type == "File Creation" AND tgt.file.path matches(".*\\mimikatz.*", ".*\\sekurlsa.*", ".*\\mimidrv.*", ".*\\mimilib.*")) OR (event.type == "Threat Intelligence Indicators" AND tiIndicator.malwareNames contains:anycase("Mimikatz"))Description: A behavior-based rule for detecting Mimikatz activity by monitoring file creation, threat intelligence indicators, and behavioral signs linked to credential theft.
13. Disable Veeam Backup ServicesV2
Rule:
tgt.process.cmdline contains:anycase("net.exe stop veeamdeploysvc", "vssadmin.exe Delete Shadows", "vssadmin.exe delete Shadows /All /Quiet", "wmic shadowcopy delete")Description: Flags attempts to disable Veeam Backup services, commonly used by attackers to disrupt data recovery processes during ransomware campaigns.
14. Mimikatz Executables
Rule:
tgt.file.path contains:anycase("mimikatz.exe", "mimikatz", "mimilove.exe", "mimilove", "mimidrv.sys", "mimidrv", "mimilib.dll", "mimilib", "mk.7z")Description: Detects the presence of Mimikatz executables or libraries, identifying potential tool deployment for credential harvesting.
15. Rclone (You can other tool like mega.io or Filezilla as well)
Rule:
src.process.name in:matchcase("rclone.exe", "rclone.org", "Rclone.exe") AND event.dns.request == "rclone.org" OR tgt.process.cmdline contains:anycase("rclone") OR src.process.displayName contains:anycase("rclone") OR src.process.cmdline contains:anycase("rclone")Description: Monitors activity related to Rclone, a legitimate tool often abused for exfiltrating data to cloud storage services.
16. NTDSUtil
Rule:
event.type == "Process Creation" AND ((tgt.process.cmdline contains:anycase("copy ") AND (tgt.process.cmdline contains:anycase("\\Windows\\NTDS\\NTDS.dit") OR tgt.process.cmdline contains:anycase("\\Windows\\System32\\config\\SYSTEM "))) OR (tgt.process.cmdline contains:anycase("save") AND tgt.process.cmdline contains:anycase("HKLM\\SYSTEM "))) OR (tgt.process.name == "ntdsutil.exe" AND tgt.process.cmdline contains:anycase("ac i ntds")) OR (tgt.process.name == "mklink.exe" AND tgt.process.cmdline contains:anycase("HarddiskVolumeShadowCopy"))) AND !(src.process.cmdline contains:anycase("Get-psSDP.ps1")) OR (src.process.cmdline contains:anycase("ntdsutil") AND src.process.cmdline contains:anycase("ifm")) OR (tgt.process.cmdline contains:anycase("ntdsutil") AND tgt.process.cmdline contains:anycase("ifm"))Description: Targets suspicious usage of NTDSUtil to access Active Directory databases and other sensitive registry keys, a technique used in domain compromises.
17. CURL Connecting to IPs
Rule:
src.process.cmdline contains:matchcase("curl.exe") AND event.network.direction == "OUTGOING" AND dst.ip.address matches("^((?!10\\.).)*$") AND dst.ip.address matches("^((?!172\\.1[6-9]\\.).)*$") AND dst.ip.address matches("^((?!172\\.2[0-9]\\.).)*$") AND dst.ip.address matches("^((?!172\\.3[0-1]\\.).)*$")
Description: Detects CURL network connections to non-local IP addresses, helping to identify potential data exfiltration attempts.
18. Admin$hare Activity (Cobalt Strike - Service Install Admin Share)
Rule:
src.process.cmdline contains:matchcase("\\127.0.0.1\\ADMIN$") AND src.process.cmdline contains:matchcase("cmd.exe /Q /c")
Description: Identifies suspicious activity targeting the ADMIN$ share, often used by tools like Cobalt Strike for lateral movement.
19. RDP Detection (Any Port)
Rule:
event.type == "IP Connect" AND event.network.direction == "INCOMING" AND src.process.cmdline contains:anycase("-k NetworkService -s TermService") AND src.ip.address matches("\\b(?!10|192\\.168|172\\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") AND src.ip.address != "127.0.0.1"Description: Monitors incoming RDP connections, highlighting unusual or unauthorized attempts to access the environment.
20. RDP Detection (Port 3389)
Rule:
dst.port.number == 3389 AND event.network.direction == "INCOMING" AND src.ip.address matches("\\b(?!10|192\\.168|172\\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") AND src.ip.address != "127.0.0.1"Description: Focused detection of RDP activity on the standard port 3389, which is commonly targeted in brute-force attacks.
Share your email and details, and I’ll help craft the perfect rule for your needs. See you soon! 👋
Comments