In this article, we continue exploring the power of SentinelOne’s custom detection rules to enhance control over your environment's security. Below are more custom detection rules tailored for advanced threat detection, covering various scenarios like remote desktop activity, SMB connections, PowerShell misuse, and suspicious file transfers.
21. RDP Session Start Events with Non-Local Connections
Rule:
event.type == "Process Exit" AND src.process.cmdline contains:anycase("mstsc.exe") OR (event.type == "Process Creation" AND src.process.cmdline contains:anycase("mstsc.exe") AND !(src.ip.address matches:anycase("0.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16")))Description: Detects RDP session initiation using the mstsc.exe process from non-local IP addresses, highlighting potential unauthorized remote connections.
22. Creation of Processes Related to Remote Desktop Tools and Protocols
Rule:
event.type == "Process Creation" AND !(src.ip.address matches:anycase("0.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16")) AND src.process.cmdline contains:anycase("mstsc", "vnc", "ssh", "teamviewer", "anydesk", "logmein", "chrome remote desktop", "splashtop", "gotomypc", "parallels access")Description: Monitors the creation of processes linked to remote access tools while excluding certain IP ranges, which could indicate suspicious remote activity.
23. SMB Connections Indicating Lateral Movement
Rule:
event.type == "IP Connect" AND event.network.direction == "INCOMING" AND event.network.protocolName == "smb" AND dst.port.number == 445Description: Flags SMB connections over port 445, commonly used for lateral movement in network compromises.
24. BitsTransfer Activity
Rule:
event.type == "Process Creation" AND tgt.process.cmdline contains:anycase("BitsTransfer") AND tgt.file.extension in:anycase("ps1", "bat", "exe", "dll", "zip", "rar", "7z", "tar")Description: Monitors the use of BitsTransfer to download or upload files, a technique often used to evade detection in malicious activities.
25. PowerShell Web Request
Rule:
event.type == "Process Creation" AND tgt.process.displayName == "Windows PowerShell" AND (tgt.process.cmdline contains:anycase("Invoke-WebRequest", "iwr", "wget", "curl", "Net.WebClient", "Start-BitsTransfer"))
Description: Detects PowerShell commands that perform web requests, which may indicate data exfiltration or malicious script downloads.
26. Suspicious File Uploads to Cloud Services
Rule:
event.category == "url" AND url.address matches("https?://(?:www\\.)?(?:dropbox\\.com|drive\\.google\\.com|onedrive\\.live\\.com|box\\.com|mega\\.nz|icloud\\.com|mediafire\\.com|pcloud\\.com)")
OR (event.category == "url" AND event.url.action == "PUT" AND url.address matches("https?://(?:www\\.)?(?:dropbox\\.com|drive\\.google\\.com|onedrive\\.live\\.com|box\\.com|mega\\.nz|icloud\\.com|mediafire\\.com|pcloud\\.com)"))Description: Detects upload attempts to cloud storage platforms, which could signify data exfiltration efforts.
Share your email and details, and I’ll help craft the perfect rule for your needs. See you soon! 👋
Thank you so much for staying with me throughout this complete series on SentinelOne. It has always been a pleasure writing and sharing knowledge so others can benefit. With this final article, I wrap up my coverage on SentinelOne—until I receive further requests to explore more on this topic. For now, I'll be shifting my focus to other articles and new areas of research. Stay curious, keep learning, and as always, take care. See you soon! 🚀
Comments