Search Results

As we close the chapter on another year, it’s time to look ahead with excitement, hope, and optimism. The New Year is not just a date on the calendar—it's a fresh start, a blank page waiting to be filled with new memories, challenges, and achievements. Whether you’re looking forward to personal growth, professional success, or simply enjoying the little moments, this time of year offers a perfect opportunity to reflect, reset, and reimagine what’s possible. Looking Forward: The Future is Bright The New Year is a canvas, and you hold the brush. The opportunities are limitless, and with the right mindset, every day can bring new possibilities. It's an exciting time to dream big and chase those dreams with passion and perseverance. No matter where you are in your journey, the New Year gives us all the chance to begin again. Remember, success isn't defined by perfection but by progress. Small steps taken consistently will lead to significant change over time. So, let’s embrace the unknown and welcome 2025 with open arms and hearts full of hope. A Message of Gratitude to My Readers As we step into this new chapter, I want to take a moment to express our heartfelt gratitude for your continued support. Your engagement, feedback, and trust have made this past year truly special. I am excited to continue this journey with you in the New Year and are committed to bringing you even more valuable content, inspiration, and updates. Here’s to another year of growth, connection, and shared success! Wishing you a joyful, prosperous, and fulfilling New Year. May 2025 bring you closer to your dreams and fill your life with happiness and love. Happy New Year!

Let’s dive into two key sections of SentinelOne’s console: the Activity Tab  and the Reports Tab . Activity Tab: The Console’s Audit Log Think of the Activity Tab  as a comprehensive logbook for the management console. It records every action and change made, providing a clear audit trail of events. Here’s what it does: User Actions : Tracks which users logged into the console and when. Records actions like changes made to endpoints, policy modifications, exclusions added, and blocklists updated. Log Fetching : When you fetch logs from endpoints, the Activity Tab  becomes your go-to place. The logs are delivered in a ZIP format, making it easy to analyze them offline. In simple terms, the A ctivity Tab  serves as the management console’s audit logs , giving you transparency over everything happening in the console. Pro Tip: fetching endpoint logs will be covered in more depth in the upcoming article on automation, just remember this tab is where the results will land. Reports Tab: Scheduled or On-Demand Reporting The Reports Tab  is designed for generating insights in either a scheduled or on-demand manner. Scheduled Reports : Set it up to generate recurring reports for routine analysis. One-Time Reports : Create reports as needed for specific purposes or investigations. The screenshot above gives a glimpse of the kind of reports you can generate. Honest Opinion : Personally, I’ve found SentinelOne’s reports to be less impressive compared to its other features. That said, reports are subjective—you might find them useful depending on your specific needs. So, I encourage you to explore this feature and decide if it suits your workflow. That’s all for now on the Activity  and Reports  tabs. These tools may seem straightforward, but they hold valuable information for both forensic and operational tasks. Stay tuned for the next article, where we’ll dive into logs and automation—a truly exciting topic! Until then, keep learning and growing. See you soon! 😊

Before diving into the new chapter on Applications , I want to highlight Identity . While these features are undoubtedly promising, I haven’t yet configured or tested . Rest assured, as soon as I get the opportunity to explore them, I’ll provide a detailed explanation. ----------------------------------------------------------------------------------------------------------- If you ask me What is Identity Security Posture Management (ISPM)? Identity Security Posture Management (ISPM) is a proactive framework designed to secure an organization’s digital identities. By managing privileges, authentication methods, and access rights, ISPM minimizes identity-related risks such as breaches and unauthorized access. Why is ISPM Critical? Identity-focused threats : Most breaches stem from compromised identities. ISPM addresses risks like stolen credentials, privilege misuse, and insider threats. Prevention over reaction : Proactively secures identities, reducing the likelihood of breaches. Core Components of ISPM Identity and Access Management (IAM) : Controls access to resources based on roles and contexts. Privileged Access Management (PAM) : Enforces least privilege and audits privileged sessions. Identity Governance and Administration (IGA) : Automates identity life cycles, ensuring compliance and preventing unauthorized access. Identity Analytics and Risk Intelligence (IARI) : Detects abnormal access behaviors using analytics and machine learning. Configuring ISPM To implement ISPM in Sentinel One, you need to configure an application: Step 1: Register an Application in Azure Follow the detailed guide below to configure your app in Azure Active Directory. https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate Output Example Once configured, the system can provide detailed insights. For instance: Identify vulnerable objects  (e.g., domain controllers, unwanted shares, or stored sensitive files). Detailed information such as: Object Type:  (e.g., file, server, account). Name:  The specific resource at risk. SAM Account Name:  The security account manager (SAM) identifier. Additional Insights For each vulnerability, the system offers recommendations on how to resolve it effectively. Why ISPM Is Awesome By integrating ISPM, organizations can proactively address identity vulnerabilities, automate risk detection, and strengthen their security posture effortlessly. ------------------------------------------------------------------------------------------------------------- let’s move on to next Applications  featur e—a cornerstone of SentinelOne’s capabilities. The Application Management  feature in SentinelOne gives you a clear and detailed view of all third-party applications on your endpoints, along with the risks they pose. In This tab you mostly get 3 features: Application Inventory SentinelOne scans your endpoints and compiles a list of all detected third-party applications, showing you their publishers and versions (when available). Here’s how the scanning works for different platforms: Windows : Reads application data from the registry. macOS : Uses Spotlight’s indexed data. Linux : Checks installed software via DPKG and RPM packages. You can either: Manually Scan : Click Actions > Scan Now  to start scanning anytime. Automate Scanning : Enable automatic scans to keep the inventory up to date. Want more details about an application? Click on it to see the endpoints it’s installed on. Tracking Risks Use the Risks  page to see a centralized list of risks tied to applications and their versions. Drill down into specific details, like: The endpoints running a vulnerable application. CVEs (Common Vulnerabilities and Exposures) linked to a specific app. Scan Policies Scanning for vulnerabilities is off by default . You’ll need to enable it in the Scan Policy  settings. Once enabled, you can run manual or automatic scans. Scanning Options : Vulnerability and Application Scans : Detect new software or endpoints, update daily vulnerability data, and dynamically map CVEs. Extensive Scans : Check for missing patches and OS vulnerabilities (requires a Vulnerability Management Add-On). ------------------------------------------------------------------------------------------------------------- Wrapping Up the Applications Feature In essence, the Applications  feature in SentinelOne acts as a streamlined tool for managing software within your environment. While it functions somewhat similarly to vulnerability scanning, its true value lies in providing an overview of application deployment and potential risks. Here’s why it’s worth using: Visibility into Installed Applications: It lets you easily identify which applications are installed across your endpoints, saving time when performing assessments. Vulnerability Insights: A significant use case is tracking vulnerabilities linked to specific applications. For instance, if a critical vulnerability emerges, you can quickly determine how many endpoints are running the affected software. Post-Attack Analysis: After an attack, this feature can help assess the scope of potential application-based exploitation, aiding in understanding and mitigating the damage. While its utility might feel more "standard" compared to some of SentinelOne's advanced capabilities. I find this feature particularly helpful in vulnerability management and incident response. It simplifies identifying application-related risks, helping you prioritize and act swiftly in critical scenarios. I’ll pause here for now as Application tab, as it’s time to work on another article! Until then, keep performing scan and learning. See you soon! 😊 Happy Scanning application! 🚀

When it comes to cybersecurity, Incidents  in SentinelOne is where most of the action happens. This is the go-to place for SOC analysts , alert monitoring teams , and even DFIR (Digital Forensics and Incident Response) professionals  like me to analyze and respond to alerts. Let’s break it down step by step. ------------------------------------------------------------------------------------------------------------ Hierarchy in SentinelOne: A Quick Refresher Before diving in, remember the hierarchy structure  in SentinelOne that governs what alerts you can see. It works just like we discussed in other articles: Group Level : You only see alerts related to endpoints within that group. Site Level : You see alerts for all groups under that site. Account Level : You see alerts across all sites and groups under your organization. Example Imagine a company named ABC : ABC  has two sites: London and Melbourne. London  contains two groups: CD  and FS . Melbourne  contains two groups: EF  and GS . If you’re working at: Group Level (EF) : You’ll see alerts only for endpoints in EF : Global > ABC > Melbourne > EF Site Level (Melbourne) : You’ll see alerts for EF  and GS : Global > ABC > Melbourne Account Level (ABC) : You’ll see alerts for all endpoints across both sites (London and Melbourne): Global > ABC Easy, right? This hierarchy is key to understanding where to find and analyze alerts. ------------------------------------------------------------------------------------------------------------ At the top of the tab, you'll find a filtering section  that allows you to apply various filters to refine your view based on specific criteria. Additionally, there is a free-text search option  for quick and flexible searching. These features are straightforward and intuitive, requiring no detailed explanation. ------------------------------------------------------------------------------------------------------------ Incidents Tab Overview When you open the Incidents  tab, you’ll notice two key sections: Threats Alerts Let’s explore each of these tabs. ------------------------------------------------------------------------------------------------------------ Before diving deeper, I often encounter a common question: "If the file is legitimate and the hash is clean, why does SentinelOne flag it?"   My response is simple yet important to understand—SentinelOne operates based on its advanced engine, leveraging behavioral analysis and TTPs (Tactics, Techniques, and Procedures). In such cases, c ertain indicators trigger detections, and SentinelOne flags the file . At this point, it’s up to the a nalyst or security team to review the detection and determine whether it’s a false positive . If it is, exclusions can be applied. It’s important to highlight that the detection itself doesn’t mean the tool is flawed —quite the contrary. SentinelOne is exceptionally capable and highly effective. However, misunderstandings often arise when users lack knowledge of its functionality. So, i f a legitimate file gets quarantined, don’t rush to criticize SentinelOne or any EDR solution. Instead, consider whether the detection process is being utilized and understood properly. The tool isn’t at fault; it’s a matter of knowing how to leverage its capabilities. SentinelOne is an outstanding solution—it just requires proper expertise to harness its full potential. ------------------------------------------------------------------------------------------------------------ Threats Tab The Threats tab  displays alerts triggered by SentinelOne’s engines . These engines analyze endpoint behavior to detect malicious activity or anomalies. Alerts here are based on predefined policies. (We have talked about engines in out Sentinels article Do check it out: Link below) https://www.cyberengage.org/post/navigating-sentinel-one-p4-sentinels-a-practical-guide Key Features: If a file or activity violates a policy or is deemed malicious, it generates an alert under the Threats tab . SentinelOne uses static  and dynamic detection types to evaluate threat Static Detection Static detection means the file was flagged before execution —based on its hash , signature , or other static indicators . What to Expect in Static Alerts: Overview Tab : Summarizes the alert and provides details like file path, hash, and who initiated the quarantine action. Explorer Tab : Empty for static alerts because the file hasn’t executed yet. Timeline Tab : Displays event details, such as who resolved the alert or issued quarantine commands. Analysis Tips for Static Alerts: Check the hash/Path  and verify if the file is signed. Use Deep Visibility  (if enabled) for further investigation. Dynamic Detection Dynamic detection occurs when a file or process exhibits suspicious behavior during execution. SentinelOne identifies this activity and triggers an alert. What to Expect in Dynamic Alerts: Overview Tab : Lists basic alert information. Explorer Tab : If you check the Explorer Tab  in the dynamic alert interface, you'll notice it provides comprehensive details presented visually, such as execution graphs (as shown in the screenshot) and detailed insights into indicators, processes, files, and related events. Files: This section includes information about all file-related activities, such as scheduled tasks, prefetch data, and other details related to the Windows file system. It gives a granular view of actions performed on or by filess Processes: A Story in Motion When analyzing processes, I like to think of them as storytellers . They reveal how an event unfolded, step by step. Let’s take an example from the screenshot. Here’s what I see: A cmd  command was executed. That command triggered a batch script (hidden in this instance). The script initiated the FreeFileSync application. The process continued until SentinelOne flagged the activity. Since SentinelOne detected something suspicious or potentially malicious, it intervened, stopping further execution. This proactive response is the reason the malicious process couldn't proceed further. Additional Details You Can Derive Dynamic alerts also provide: ( Here in above screenshot these are not available) Registry Information : Key registry changes associated with the event. Network Actions : Information about network activity, such as the destination IP, port details, and more. ------------------------------------------------------------------------------------------------------------ Looking Ahead This overview gives you a strong foundation for understanding the Threats Tab  and analyzing alerts effectively. While I haven't included specifics about registry or network action in this example (as this series doesn’t yet focus on alert analysis). let me know if you'd like a deeper dive into those aspects. If there's interest, I’d be happy to create a similar series dedicated to alert analysis ! ------------------------------------------------------------------------------------------------------------ Alerts Tab Overview The Alerts Tab  is your central hub for monitoring all alerts generated based on the rules you’ve created in the backend. Here's how it works: Alert Generation : If you’ve set up a rule to block specific files , any detection matching that rule will result in the file being blocked, and you’ll see an alert in the Alerts Tab . If the rule is set to detect-only mode, the s ystem will flag the file as detected without blocking it and still generate an alert for your review. Taking Action : Once an alert is triggered and appears in the Alerts Tab , you can decide what action to take directly from the backend. For example, as shown in the screenshot, you can block, isolate, or further investigate the detected threat. Pro Tip: Use STAR Custom Rules From the very beginning, I’ve emphasized the importance of STAR Custom Rules . These rules allow you to go beyond just responding to SentinelOne's out-of-the-box detections . By building your own comprehensive detection rules, you can: Tailor detections to your organization’s unique needs. Proactively identify threats specific to your environment. Gain maximum value from SentinelOne by leveraging its full potential. ------------------------------------------------------------------------------------------------------------ Important Points About Handling Alerts in SentinelOne Why Some Alerts Aren’t Quarantined : Occasionally, you may notice alerts that are under protect policy which should have triggered a quarantine action but didn’t . This can happen due to several reasons, such as: The endpoint was offline when the alert occurred. Network connectivity issues prevented the quarantine command from being executed. In such cases, if you determine the file is malicious, ensure you manually issue the quarantine command from the backend . Always verify the action has been applied successfully. Handling False Positives and File Recovery : If SentinelOne mistakenly quarantines a legitimate file due to a false positive , it’s possible to r ecover the file using the unquarantine  command . However, there are critical steps to follow: Whitelist First : B efore unquarantining, add the file to the whitelist using its hash or path. This prevents the same file from being flagged and quarantined again. Check File Integrity : Be cautious; in some cases, quarantined files may become corrupted during the process . If the file is critical, test its integrity immediately after recovery to ensure it’s usable. About un- quarantined failed, I was facing the issue earlier but now its sorted out so i think we are good this not happening but tip are above first whitelist than un-quarantined best method The Importance of Indicators in SentinelOne : SentinelOne’s Indicators  are a crucial aspect of threat analysis. Unlike some tools where indicators are merely informational, in SentinelOne, they often provide actionable insights. For example, if an alert doesn’t seem overtly malicious but includes an indicator like Pass-the-Hash Attack , treat it seriously. Fetch additional logs, analyze thoroughly, and escalate if necessary. Indicators can reveal subtle or advanced malicious activity that might otherwise be missed. Pro Tip : Trust the indicators and investigate thoroughly, even when the rest of the alert looks benign. From experience, indicators in SentinelOne often lead to uncovering hidden or sophisticated threats. ------------------------------------------------------------------------------------------------------------ I’ll pause here for now as Incident tab, as it’s time to work on another article! Until then, keep hunting and learning. See you soon! 😊 Happy Hunting! 🚀

Welcome back to the SentinelOne journey! Today, we’re diving into the Sentinels Tab , one of the most critical components of the SentinelOne console. This is the workspace where administrators spend most of their time managing endpoints, configuring policies, and ensuring their organization stays secure. I'll walk you through the key features and functionalities, share some practical examples, and sprinkle in some of my personal tips to make your experience even smoother. ------------------------------------------------------------------------------------------------------------- The Top Strip: Where It All Begins Endpoints This is where it all starts. The E ndpoints  section displays all the devices with SentinelOne agents installed . From here, you can monitor and manage every endpoint in your environment. Once an agent is installed, the console provides a treasure trove of information: (Below features and action are limited there more than task u can perform so do check it out. I have given only few) Application inventory Cloud connectivity details Agent version Last reboot time Visible IPs What Can You Do? SentinelOne allows administrators to perform various actions on endpoints, such as: Rebooting Devices Updating the Agent Running Scans Disconnecting/Reconnecting to the Network Troubleshooting Issues Cool Features I Love Permission Alerts :If the agent is not installed correctly (e.g., on macOS, where you need to grant full-disk access), the console flags this issue directly on the Endpoints Page , helping you fix it quickly. Uninstallation Requests and Tamper Protection : SentinelOne’s anti-tamper  feature ensures that agents cannot be uninstalled without proper authorization. If anti-tamper  is off , an admin or executable can uninstall the agent. If anti-tamper  is on , no one—not even admins—can uninstall the agent unless a request is raised. Pro Tip: Always reject uninstallation requests unless absolutely necessary. Filtering Endpoints What if you’re managing thousands of endpoints? Do you have to check each one manually?Absolutely not! SentinelOne provides filters  to help you zero in on endpoints with specific issues or pending actions. If I get the opportunity and there’s enough interest, I’d be happy to create a detailed article o n each filter available in SentinelOne’s Endpoint  section . This would include an in-depth exploration of the various capabilities and functionalities related to endpoint management. For now, let’s proceed and focus on the key aspects without diving into extensive details. ------------------------------------------------------------------------------------------------------------- Next: Identity Policy This is a relatively new feature, and I haven’t tested it extensively yet. But here’s what I know so far: Singularity™ Identity Detection & Response This feature defends your Active Directory (AD), Entra ID (formerly Azure AD), and domain-joined assets against credential misuse and privilege escalation. Core Features: Active Directory Defense Detects attacks targeting AD and Entra ID from managed, unmanaged, or IoT devices. Protects privileged credential s by hiding them from attackers and replacing them with decoys. Lateral Movement Prevention Uses cloaking technology to make lateral movement exceedingly difficult for attackers. Identifies and blocks misconfigurations in Access Control Lists (ACLs). Visibility and Control Visualizes paths attackers might use to advance their attacks. Maps exposed assets, orphaned credentials, and policy violations. This feature integrates seamlessly with Zero Trust strategies and is designed to reduce identity-based attack surfaces. ------------------------------------------------------------------------------------------------------------- Next: Tags: Custom Labels for Endpoints Tags are a simple but powerful way to organize and filter endpoints. Each tag consists of a key and value pair, allowing you to: Create Dynamic Groups Build Dashboard Widgets Scope of Tags Tags created at the Account level  are available across all Sites and Groups under that account. Tags created at the Site level  are restricted to that specific site. ------------------------------------------------------------------------------------------------------------- Next: Unprotected Endpoints and Cloud Rogues Unprotected Endpoints This feature highlights endpoints that are not protected by SentinelOne agents. It’s part of the Network Discovery  feature, which I’ve covered in a separate article. You can check it out Link below: https://www.cyberengage.org/post/sentinel-one-p3-network-discovery-a-practical-guide Cloud Rogues This new feature is part of SentinelOne’s Cloud Workload Security (CWS) I haven’t tested it extensively yet. But here’s what I know . It continuously monitors your cloud environment (e.g., AWS) to : Inventory unprotected virtual machines (VMs). Identify newly created VMs in real time. Administrators can then deploy the SentinelOne CWS agent on these unprotected machines. Currently, Cloud Rogues  supports Amazon EC2 and related services (ECS, EKS), with plans to expand to other CSPs like Azure and Google Cloud. I’m sharing this article for you to check out: Feature Spotlight: Auto-Discover Unprotected Amazon EC2 Instances with Cloud Rogues . If I get the chance to test this feature in the future, I’ll provide an update. Similarly, if you’ve already tested it or have any feedback, feel free to share it with me. I’d be happy to incorporate your insights into this article to make it even more comprehensive. ------------------------------------------------------------------------------------------------------------- Next: Policies: The Backbone of SentinelOne The Policy  section is arguably the most critical part of the SentinelOne console. Understanding how policies work—and the hierarchy they follow—is essential for effective configuration . Hierarchy Recap Changes made at the Account level  are inherited by all Sites and Groups. Changes made at the Site level  are inherited by Groups under that Site. Group-level changes do not affect the broader Site or Account. Scenario Example: Default Policy:  If you’ve just set up a new SentinelOne console or server, e nable inheritance  for smooth policy implementation across all sites/groups. Custom Policies:  If a client has two sites, e.g., London and US, requiring different policies, make changes at the Site  level. For example, create one policy for London and another for the US by editing the specific site's configuration. Policy Modes Policies in SentinelOne operate in two modes: Detect Mode: Identifies threats but takes no action. No files are quarantined, killed, or remediated. Protect Mode: Automatically responds to threats based on your chosen Protect Level . Protection Actions Explained: Kill:  Stops all processes related to the threat. Quarantine:   Moves the threat and any associated files to a secure, encrypted location. Remediate :  Deletes all files and system changes caused by the threat . It also executes Kill  and Quarantine  if they were not completed earlier. Important:   With Remediate, files are deleted and cannot be unquarantined. Rollback (Windows only) :  Uses Volume Shadow Copy Service (VSS)  to restore the system to a previous snapshot, reversing ransomware damage. Sequence:  Remediation must complete successfully before rollback can occur. Snapshots are automatically created every four hours, making rollback a powerful feature for disaster recovery. Pro Tip : Rollback is invaluable for ransomware recovery. SentinelOne creates snapshots every four hours by default. Macro Mitigation This feature allows you to mitigate malicious macros within Excel files. However, SentinelOne can be noisy in this regard, and enabling this feature might render Excel files unusable . It’s recommended to handle this cautiously, For me quarantining Excel files is more useful instead of outright deleting macros because u can get excel back but no macro if deleted. Containment When enabled alongside Protect Mode , this feature isolates the endpoint if a threat is detected. It works in conjunction with the chosen Protection Level  (e.g., Remediate). Example:- Protect Mode with Protection Level: Remediate When the policy is set to Protect  and the Protection Level  is configured as Remediate , the following actions are triggered for any detected threat: Automatic Remediation: The malicious file is identified and automatically remediated by deleting the file and undoing its changes on the system. Any associated processes are terminated to ensure the threat is neutralized. Endpoint Containment (if enabled): The affected endpoint is isolated from the network to prevent further spread or lateral movement of the threat. This is especially useful for ransomware scenarios, as it stops the attack in its tracks. Caution: False Positives While such automation is extremely helpful, there are risks to consider: Like any security tool, SentinelOne can occasionally misidentify legitimate files as malicious ( false positives ). If a legitimate business-critical file is mistakenly remediated, it may cause operational disruptions. Robust Detection via Multiple Engines SentinelOne employs a multi-layered detection mechanism to handle modern threats, including zero-day attacks . Even if one engine misses a threat, others are designed to catch it. Here are the primary engines: Reputation Engine: Matches file hashes against known malicious and trusted files from global databases. Static AI: Examines file characteristics without execution to identify threats. Behavioral AI: Monitors runtime activities to detect anomalous or malicious behaviors. Anti-Exploitation/Fileless Protection: Focuses on memory-based and script-based attacks. Lateral Movement Detection: Identifies attempts to spread across the network. Identity Detection (Singularity™): Guards against identity-based attacks on Active Directory environments. Each engine contributes to a robust defense system, ensuring minimal gaps in threat detection. Moving on second part of policy Each toggle on this screen is self-explanatory, providing descriptions for its function. Deep Visibility & Identity Settings These configurations below relate to SentinelOne’s Identity Policy . Administrators can choose pre-configured settings or customize them based on their specific environment's needs . This flexibility allows for precise control over how identity-related threats and anomalies are managed Binary Vault This feature automatically uploads executable files to SentinelOne’s cloud for analysis Malicious files are retained for one year. Benign files are retained for 30 days. Remote Ops Scripts This setting lets administrators define scripts to be executed remotely on endpoints. While the specifics can be customized now, I'll provide more details later in upcoming articles. Decommission & Remote Shell These features provide advanced administrative capabilities: Decommission:   Safely removes endpoints from SentinelOne management when they are offline from particular days you selected. Remote Shell:  Enables secure remote access to an endpoint for troubleshooting or manual remediation. ------------------------------------------------------------------------------------------------------------- Next: The Star of the Show: Custom Rules Creating custom rules in SentinelOne is like crafting the perfect weapon for your defense arsenal. This is where you take control —a level of customization no AI-generated rule can match. Why? Because your organization’s threats and environment are unique. What to Know About Custom Rules: Hierarchy is key: Rules can only be created at Account Level  or Site Level . A Site-level rule  applies to all groups under it , while an Account-level rule  cascades down to all sites and groups. There’s no Group-level rule  creation—remember that! Policy-based actions: For example, i f a malicious file is detected, you can configure rule to take action like terminate , quarantine , or even notify  the team. For the Techies: Let’s say you’re hunting PowerShell behavior. A deep visibility query might look like this: This query checks for PowerShell making outbound connections to public IPs. Once tested in Deep Visibility , you can create a star custom rule using this same query to generate alerts or take action whenever it triggers. For Non-Technical Users: No worries— SentinelOne’s Purple AI assistant  can simplify the query for you . Paste the query into Deep Visibility, test it, and use it in your rule. No coding degree needed!. ------------------------------------------------------------------------------------------------------------- Next : Blocklist: The Gatekeeper This tab is straightforward—you can block malicious SHA1 hashes . However, no MD5 or SHA256 hashes  are allowed, nor paths. Frustrating? Not really! Use star custom rules to block paths or filenames. Flexibility is the game here. ------------------------------------------------------------------------------------------------------------- Next: Exclusions: Be Cautious! Exclusions are where things get tricky. Think of it like this: every exclusion is a gate you open for potential attackers .  Always: Start with hash-based exclusions  before moving to path-based ones . Avoid broad exclusions like file types or browser categories. (Very Important) Pro Tip: To exclude a specific file across all drives, use: \Device\HarddiskVolume*\\.exe It’s better than manually excluding each drive path! Sentinel one gives you control how you want to perform exclusion or i will say choose the sensitivity of exclusion Another thing to keep in mind is Extended Exclusions and Reboot Requirement: For exclusions like interoperability-extended  or performance focus-extended , a system reboot is required to apply changes. My recommendation always use suppress alert exclusion mode It’s important to note that exclusions in SentinelOne follow a hierarchy  and do not support endpoint-based exclusions  directly. Exclusions can only be applied at the following levels: Account Level:  Exclusions are applied across all sites and groups under the account. Site Level:  Exclusions are applied to all groups within the specific site. Group Level:  Exclusions are applied to all endpoints within the specific group. Because endpoint-level exclusions are not supported, it is not possible to configure exclusions for a specific endpoint. Solution If you need to apply exclusions for a single endpoint, here's a workaround: Create a new group : Move the specific endpoint into a new group. Apply exclusions at the group level : Configure the exclusion for that group, ensuring that only the selected endpoint is affected. This approach helps achieve endpoint-level exclusions indirectly, while maintaining compliance with SentinelOne's exclusion hierarchy. ------------------------------------------------------------------------------------------------------------- Next is : Network Control: Firewall and Network Quarantine SentinelOne's firewall gives you fine-grained control over network traffic . But should you enable it? Here’s my take: If your organization is already using a robust primary firewall (e.g., Palo Alto, Fortinet, etc.)as primary network firewall , And windows have there inbuilt firewall called windows defender firewal l. there may not be a strong need to enable SentinelOne's firewall. As SentinelOne is primarily an EDR/XDR  solution, enabling its firewall could add unnecessary complexity to your setup. Enabling SentinelOne’s firewall takes precedence over Windows Defender Firewall , as it is integrated into the SentinelOne Agent. Managing both the SentinelOne firewall and your primary firewall can become cumbersome, especially if you lack resources for proper configuration and monitoring. Recommendation : If your organization is already managing firewalls effectively, it’s better to disable the SentinelOne firewall  to avoid increasing the administrative workload. For some case u do not want to listen to me and want to enable firewall. Than thing you should keep in mind in traffic flow: When traffic enters or exits an endpoint, the SentinelOne Agent enforces rules as per the configured Firewall Policy : The rules are applied in top-down order , meaning the first matching rule determines the action. Block Action : The traffic is blocked immediately. Allow Action : The traffic is permitted to proceed. For quarantined devices, Network Quarantine Feature shines SentinelOne’s network quarantine  is an excellent feature that allows you to isolate a compromised device while still maintaining connectivity for administrative purposes. Pre-Configuration : It’s advisable to configure this feature during initial setup so it’s ready to use in case of an incident. Benefit : There’s no need to reconfigure in the future, making it highly effective for incident response. ------------------------------------------------------------------------------------------------------------- Next : Device Control: Lockdown Your Ports Imagine controlling who gets USB access like a tech-savvy bouncer at a club. The Device Control  feature in SentinelOne allows administrators t o manage and restrict device interfaces for enhanced endpoint security . Here’s a simplified explanation and example to clarify its functionality: 1. Configurable Interfaces You can define rules to allow or block interfaces  like: USB Thunderbolt Bluetooth 2. USB Configuration Example Let’s focus on USB as an example: Rule Creation : Rules can be created based on attributes like: Vendor ID Class Serial Number Actions Available : Allow and Write : Full access. Read Only : Restricts write access. Block : Completely disables access. 3. Additional Configurations Customizable Options : There are numerous USB-specific settings available for fine-tuned control. Rule Prioritization : Ensure rules are reordered to reflect organizational priorities , as rule order determines enforcement. ------------------------------------------------------------------------------------------------------------- Next is : Packages: The Building Blocks The Packages  section in SentinelOne is where you can download and deploy agents for endpoints across different operating systems, including Windows, macOS, Linux, and Linux Kubernetes. Here's an overview of key points and recommendations: 1. Available Packages You can access and download agent packages for: Windows : Available in .exe and .msi formats. Linux : Packages in .rpm and .deb formats. macOS Linux Kubernetes 2. Recommendations for Installation Windows : Prefer the .exe package for simplicity. Installation involves double-clicking the file and adding the token for configuration. .msi packages are also available but may require additional command-line parameters. Linux : Opt for the .deb package for easier installation and configuration , though .rpm is equally effective depending on your environment. Documentation : Refer to the Community Portal  or Customer Portal  for detailed installation guides specific to each OS. 3. Reboot Requirements Newer Agent Versions : Starting from version 23.3  and later, rebooting the endpoint after installation is no longer required. Older Agent Versions : A reboot may be necessary after installation. 4. Agent Updates Lifecycle Management : SentinelOne releases new agent versions every 3–6 months , depending on their update cycle. Keep an eye on end-of-life (EOL) or EOS (end of support)  for older packages on the Community Portal. Using outdated agents may compromise performance and security as they no longer receive updates. Manual Updates : Unlike some competitors like CrowdStrike, SentinelOne does not perform automatic agent updates . This manual process helps avoid issues like the infamous Blue Screen of Death  caused by rushed updates in some tools. Pro Tip : Regularly check the Community Portal  for announcements and update agents proactively to ensure you receive the latest security feeds and feature ------------------------------------------------------------------------------------------------------------- Next Is: Upgrade Policies: Set It and Forget It Use the Auto-Upgrade Policy  to keep agents updated without breaking a sweat (if you want i do not recommend ) . This ensures: Better security:  Newer agents are more resilient to threats. Improved functionality:  Who doesn’t like shiny new features?' ------------------------------------------------------------------------------------------------------------- The Final Tab: Site Info/Account/Group Info (Based on Level you are at) The last tab acts as your dashboard for account/site/group details. It also holds the token  for agent installation . Pro Tip:  Always double-check tokens before installation to avoid misalignment of endpoints. ------------------------------------------------------------------------------------------------------------- Parting Wisdom SentinelOne is like a Swiss Army knife—powerful, flexible, and capable of saving the day. But with great power comes great responsibility. Here’s my advice: Test before you deploy:  Whether it’s a custom rule or an exclusion, ensure it works in your test environment first. Document everything:  A well-documented setup makes troubleshooting and audits a breeze. Leverage support:  SentinelOne’s support team is quick and helpful—don’t hesitate to reach out. I hope this guide helps you . Remember, cybersecurity is not just a job—it’s a commitment to keeping the digital world safe. So go out there, configure those rules, lock down your endpoints, and be the superhero your organization needs! I’ll pause here for now as Sentinel tab, as it’s time to work on another article! Until then, keep hunting and learning. See you soon! 😊 Happy SentinelOne managing! 🚀

Welcome back to Part 3  of our exploration of SentinelOne’s powerful features! Today, let’s dive into one of the most fascinating and essential capabilities SentinelOne offers: Network Discovery  and its closely related counterpart, Unprotected Endpoint Discovery . These two features work hand-in-hand to provide unparalleled visibility and control over your network. So, let’s unpack this, step by step, as though we’re in a room filled with curious cybersecurity professionals. ------------------------------------------------------------------------------------------------------------- The Backdrop: Why Network Discovery Matters Imagine you’re the captain of a ship, navigating through uncharted waters. To ensure smooth sailing, you need a detailed map showing not just the known islands but also hidden reefs, shoals, and lurking hazards . That’s exactly what Network Discovery  does—it’s your map of the corporate network. With SentinelOne, Network Discovery scans your environment to identify every connected device, be it a server, endpoint, IoT device, or even an unknown gadget someone sneaked into the office. It doesn’t stop at identification; it categorizes devices into Secured , Unsecured , Unsupported , and Unknown , ensuring no stone is left unturned. ------------------------------------------------------------------------------------------------------------ What’s the Difference Between Network Discovery and Unprotected Endpoint Discovery ? This is a question many people ask, and it’s a good one. Here’s the gist: Unprotected Endpoint Discovery : Think of this as the “lite” version of Network Discovery. Its main focus is to scan and identify endpoints in your network that don’t have the SentinelOne agent installed. It’s quick, effective, and perfect for targeting vulnerable devices that need immediate attention. Network Discovery On the other hand, Network Discovery is the full package. It doesn’t just identify unprotected endpoints but also provides a comprehensive overview of every device in your network—including IoT devices, cameras, and more. It’s like having x-ray vision for your corporate environment. Here’s the kicker: Unprotected Endpoint Discovery doesn’t work unless Network Discovery is enabled. It’s like the foundation upon which the unprotected endpoint feature is built. ------------------------------------------------------------------------------------------------------------ Let’s Break It Down: The Device Categories Network Discovery classifies devices into four categories: Secured : Devices where the SentinelOne agent is installed and running. Unsecured : Devices that support the SentinelOne agent but don’t have it installed yet. Unsupported : Devices incompatible with the SentinelOne agent ( think mobile phones, tablets, or Unix systems) . Unknown : Devices where it’s unclear if they’re supported by SentinelOne, often requiring manual investigation. ------------------------------------------------------------------------------------------------------------ Walking Through the Tabs in Network Discovery 1. Devices Tab This is where the magic happens. The Devices Tab  lists all identified devices in your environment. Here’s an example: Imagine spotting an unsecured server . From this tab, you can do two critical things: Isolate the device : Cut it off from the network immediately to prevent potential threats. Deploy the SentinelOne agent : Right from this interface, provided you’ve configured your Deploy Key  (we’ll talk about this shortly). Even for unsupported devices, you can still review and isolate them. The level of control here is astounding. ------------------------------------------------------------------------------------------------------------ 2. Networks Tab This tab gives you a clear view of which endpoints are connected to which networks. It’s perfect for tracking activity and understanding how devices interact within your environment. ------------------------------------------------------------------------------------------------------------ 3. Settings Tab Configuration is key. The Settings Tab   allows you to fine-tune how Network Discovery operates. SentinelOne provides some excellent recommendations to get started: Minimum Agents in Corporate Networks: Set this threshold close to the smallest number of agents in your corporate network. Don’t go below five to avoid scanning public or home networks that might generate noise. Gradual Scanning : Start by manually scanning networks from the Networks page . Enable automatic scanning gradually to avoid overwhelming the system. Excluding Specific IPs or Ranges : You can exclude certain addresses, like honeypots, to focus on critical devices. Scan Only the Local Subnet : Begin with scans limited to the local subnet of the agent . Expand this gradually to include cross-subnet scanning as needed. Two settings might confuse some users, so let’s clarify them: Scan Only in Scanner’s Local Subnet : This limits the scan to devices within the scanner’s immediate network segment. Auto-enable Scan of Discovered Networks : If enabled, this automatically starts scanning any newly discovered networks—hands-free! ------------------------------------------------------------------------------------------------------------ 4. Deploy Keys Tab Before you can deploy agents to unprotected devices, you need to configure Deploy Keys . Think of this as a passkey that ensures a smooth installation process . If you ever face deployment issues, SentinelOne’s documentation is an excellent resource. ------------------------------------------------------------------------------------------------------------ Real-Life Use Case: Why It’s Awesome Let’s imagine your organization has 500 devices connected to its network. Among these, you discover: 450 secured devices. 30 unsecured endpoints, some of which are critical servers. 10 unknown devices, possibly rogue or unauthorized. From the Devices Tab , you isolate the unknown devices immediately. For the unsecured endpoints, you deploy the SentinelOne agent, ensuring they’re protected moving forward. All this happens within minutes, minimizing risk and maximizing efficiency. ------------------------------------------------------------------------------------------------------------ Final Thoughts SentinelOne’s Network Discovery and Unprotected Endpoint Discovery features are like having a superpower in your cybersecurity arsenal. They provide full visibility into your network, help you identify vulnerabilities, and empower you to act swiftly. With the ability to categorize devices, monitor networks, and deploy agents seamlessly, you’re always one step ahead of potential threats. Akash Patel

Welcome back to the SentinelOne journey! As promised, we’re diving deep into the Deep Visibility  feature—a powerhouse for threat hunting and data analysis. Let me take you on a step-by-step walkthrough, starting with the Enhanced Deep Visibility , which is SentinelOne’s newer and improved version, and then comparing it with the Legacy Deep Visibility . I’ll show you how to unleash its potential for hunting threats effectively. Buckle up, and let’s get started! ------------------------------------------------------------------------------------------------------------- What Is Deep Visibility? Deep Visibility  is SentinelOne’s capability to collect and analyze data from endpoints and integrated sources, offering unmatched granularity for security investigations. It stores this data for up to 90 days  by default, allowing for retrospective analysis. If you’re serious about understanding threats in your network, this is where the magic happens. Before diving into the technical details, let’s clarify a few key concepts: Singularity™ Data Lake This advanced feature builds on Deep Visibility , creating a unified platform to manage and analyze all your data. It combines EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), and even non-security data . Key Features: Centralized Data : Consolidates security, environmental, and third-party data for seamless analysis. Enhanced Querying : Includes tools like PowerQueries  for advanced searches. Custom Views : Supports EDR, XDR, and "All Data" views for tailored investigations. Visualization : Offers customizable dashboards with graphs and JSON-based configurations. Quick Note : Some of these advanced features are add-ons. You may need to subscribe to them separately. ------------------------------------------------------------------------------------------------------------- Starting with Enhanced Deep Visibility Let’s move to the Enhanced version because it’s simpler, faster, and more efficient than the Legacy version. As we proceed, I’ll show you why it’s my preferred choice for threat hunting. 1. Understanding the Interface When you open Deep Visibility, you’ll notice three main views  at the top-left corner: EDR : Displays structured security data collected from SentinelOne agents. XDR : Merges EDR data with data from integrated third-party sources. All Data : Combines everything—security and environmental logs. Example Use Case: I f you’re hunting for incoming connections on a specific endpoint , you might start with the EDR  view to focus on structured security data , then move to XDR  for broader context. How to Query: endpoint.name = "EndpointName" AND event.network.direction = 'INCOMING' This query will list all incoming network events for the specified endpoint. Above one is simplest example i have given With SentinelOne deep visibility, you can monitor search for and investigate activities using indicators such as file hashes, file names, domains, or any other relevant parameters (I cannot name them all do check it out on your own) . These capabilities enable comprehensive threat detection and response, helping you quickly identify and address security risks. In the future, based on demand, I plan to create a detailed article that will provide in-depth guidance on crafting queries and maximizing the platform's potential. For now, this overview should serve as a sufficient introduction. ------------------------------------------------------------------------------------------------------------- 2. PowerQueries: The Game Changer What are PowerQueries? PowerQueries are SentinelOne’s advanced query-building tools for precise data retrieval . Think of them as the swiss-army knife for analysts. They’re designed for scenarios where regular Event Search might fall short. Why Use PowerQueries? Targeted Results : Fetch only the data you need. Event Correlation : Combine data from multiple sources for deeper insights. Statistical Analysis : Use grouping functions to spot anomalies. In my perspective, I see PowerQuery as a tool for crafting threat queries that provide structured, tabular outputs. This makes it especially useful for reporting and analysis. PowerQuery has broad applications, and I often view it as a versatile resource for security use cases. For example, I could use PowerQuery to identify failed login attempts or investigate whether a specific user has transferred data to a USB device . These examples demonstrate the potential of PowerQuery in simplifying complex investigations while maintaining precision and clarity. Example 1: Failed Login Attempts Example 2: USB Data Transfer Tip: If you’re not familiar with query writing, don’t worry. SentinelOne provides built-in tools and even a Purple AI assistant  (more on this later) to guide you. This is where PowerQuery  becomes invaluable. I t helps you focus on what you are looking for by streamlining data queries and presenting results effectively. In my view, PowerQuery can be utilized in numerous ways, though there might be additional applications I haven't explored yet— feel free to share your insights or suggestions in the comments. As for functionalities like saving or sharing searches, these are quite intuitive and self-explanatory, so I won’t elaborate on them here. Any searches you save can be easily accessed under the "Search" column. A screenshot is included below for better clarity. ------------------------------------------------------------------------------------------------------------- 3. Purple AI: Your Hunting Buddy Purple AI is SentinelOne’s answer to simplifying threat hunting. If writing queries isn’t your strong suit, this feature allows you to type commands in plain English. Purple AI then translates them into actionable queries. Example: Type: “Show all connections made by PowerShell to public IPs.” Purple AI generates the query and rule for you: click on open powerquery as per screenshot Using AI tools is certainly beneficial, but I strongly encourage you to learn how to create queries manually. While AI simplifies many tasks, not all organizations may buy built-in AI-driven query features . In such cases, your ability to craft queries independently will be essential and could prevent potential challenges . Moreover, creating your own queries allows for better customization and accuracy in your analysis. If you’d like, I can compile a list of sample queries to help you get started. Feel free to reach out via email or reply directly to this article, and I’d be happy to create detailed guides and examples for you. ------------------------------------------------------------------------------------------------------------- 4. Creating Custom Dashboards Dashboards in Enhanced Deep Visibility are a breeze and which is self-explanatory You can visualize trends, monitor system health, and even build reusable dashboards tailored to your needs. Pro Tip: Use the Dashboard Library Prebuilt dashboards make it easy to get started. From system health to incident trends, you’ll find templates for almost every use case. ------------------------------------------------------------------------------------------------------------- Next to the Dashboard section, you'll find the Star Custom Rules feature. We'll delve into this in detail in future articles, but in simple terms, it allows you to create custom detection rules . For example, as I’ve mentioned before, while SentinelOne’s AI detection is powerful, it's always best to supplement it by creating your own rules under Star Custom Rules for more precise detections. Moving on, near the Star Custom Rules , you’ll see the Docs  column. This section c ontains comprehensive documentation for various tasks, such as data ingestion, log parsing (e.g., logs from Zscaler or other tools), working with graphs, PowerQueries, and much more. It’s a valuable resource to explore and reference as needed. On the left-hand side of the Search  section , you'll find a tab called Logs . This is where you can view all the logs ingested from various tools . It provides insights into the volume of logs and their sources, making it easier to track and manage log data effectively. ------------------------------------------------------------------------------------------------------------- 5. Legacy Deep Visibility: Still Useful? While I’m a big fan of the Enhanced version, Legacy Deep Visibility has its own charm . Here’s where it shines: As shown in the screenshot, this is how the Legacy Console  appears. S1QL (SentinelOne Query Language):  Provides a structured way to query data, similar to S2QL. For example, I hunted for executions of rundll32 or regsvr32 scripts. When comparing the Legacy Console and the Enhanced Console, you’ll notice slight differences, particularly in the Command structure . Personally, I prefer the Enhanced version for its improved functionality, but the choice is yours. I recommend exploring resources like the following for detailed query references and cheat sheets: GitHub Repository for S1QL Queries SentinelOne Cheat Sheet These provide valuable insights into creating and running queries in the Legacy Console. However, I strongly advise against copying and pasting queries directly without understanding them. Always verify what a query does and ensure its relevance to your objective. The Legacy Console  has some notable missing features, such as Purple AI  and the Dashboard , which are present in the Enhanced Console. However, o ne feature exclusive to Legacy Deep Visibility  is the Threat Hunter Extension : Threat Hunter Extension Overview Hunter Extension:   A browser extension for quick IOC hunting . For example, you can copy a list of suspicious IPs from a webpage, and the extension automatically builds a query for them. Example: In simple terms, this browser extension allows you to copy IOCs (Indicators of Compromise) from websites. For instance, if a website contains 100 IOCs, the extension captures them all. You can then select and search them directly in the Legacy Deep Visibility  console , which generates a query and performs the hunt automatically. Unfortunately, this feature is not available in the Enhanced Console , making Legacy Deep Visibility  particularly powerful for IOC hunting in such scenarios. ------------------------------------------------------------------------------------------------------------- Threat Hunting in Deep Visibility Threat hunting in SentinelOne is where the tool truly shines. Here’s a simple workflow: Writing Custom Rules or Using Fields Let’s say you want to check incoming connections  on port 445 : If you’re unsure about the syntax, use the Fields  section to build your query visually. Select the port, direction, and select include in search(This will create an query for you automatically). or else For more complex searches, like detecting PowerShell connections to public IPs, let Purple AI and PowerQuery handle it. (If u have this enabled) ------------------------------------------------------------------------------------------------------------- Conclusion SentinelOne’s Deep Visibility is a treasure trove for security professionals. Whether you’re using the Enhanced version for its intuitive interface or the Legacy version for its robust features like the Hunter extension, there’s something for everyone. Final Advice: Explore PowerQueries ; they’re your best friend for precision. Leverage Purple AI  if you’re new to threat hunting. Build and customize dashboards to streamline your workflows. If using Legacy, check out the Hunter extension for quick IOC hunting. SentinelOne offers immense depth. If you want me to write a detailed guide on query writing or any specific feature, let me know in the comments or drop me an email.' Until next time, happy hunting! 🛡️ Akash Patel

In this article, I’ll walk you through SentinelOne’s console, explaining how to navigate and utilize its powerful features . Think of this as part one of a series where we’ll dive deep into how SentinelOne works, what you can expect, and how it fits into forensic workflows. I’ll keep this as unbiased as possible, sharing my thoughts and experiences along the way. ------------------------------------------------------------------------------------------------------------- Getting Started with the Console When you first log in to the SentinelOne console, you’re greeted with a sleek, user-friendly interface. At the very top is the black strip , housing key navigation options and tools. Let’s break this down: Logo and Arrow :- To the left, you’ll see the logo followed by an arrow. Clicking this arrow opens up the hierarchical structure  that SentinelOne uses to organize accounts, sites, and groups . Here’s a simplified example to understand how this works: Global : If you’re an admin, this is your top level of access. Accounts : Let’s say you have a client named "ABC ." You create an account under the global level for them (each client will get single account) . Example: Global/ABC Sites : Within that account, you can create sites based on locations or departments. (You can created multiple sites) Example: Global/ABC/London or Global/ABC/US Groups : Finally, within each site , you can create groups for further segmentatio n. Example: Global/ABC/London/Finance or Global/ABC/US/Sales Hierarchy in Action : Changes applied at the account level  cascade down to all sites and groups . Changes made at the site level  only affect all groups within that site. Similarly, group-level changes don’t impact the broader site or account. ------------------------------------------------------------------------------------------------------------- Singularity Marketplace The next item on the black strip is the Singularity Marketplace . This is where SentinelOne shines in its ability to integrate logs and alerts from over 130 third-party tools —think AWS, Microsoft, GitHub, Palo Alto, Zscaler, Duo, and even tools like Recorded Future for threat enrichment . The Backstory : This feature became possible after SentinelOne acquired Scalyr  in 2021 . Scalyr was a cloud-native data analytics platform designed to handle massive log data at high speed. With this integration, SentinelOne elevated its XDR platform, allowing you to analyze and act on data from multiple sources in real-time. If you’re wondering whether you can integrate your tools into SentinelOne, the community portal has step-by-step guides for each integration . While I won’t dive into the "how-to" here, I recommend checking those out. Spoiler alert: it’s pretty straightforward. ------------------------------------------------------------------------------------------------------------- Cloud-Native Security Another noteworthy feature on the top strip is Cloud-Native Security . This tool focuses on protecting cloud resources with features like: Agentless Onboarding:  Create an inventory of assets within minutes. Verified Exploit Paths™:  Simulate attacks to identify exploitable vulnerabilities. Secrets Management:  Detect hardcoded secrets (over 800 types!). Real-Time Compliance:  Monitor cloud compliance across frameworks like PCI-DSS, SOC2, HIPAA, and more. While I won’t delve deep into this feature for now, it’s an excellent addition for teams managing hybrid infrastructures. ------------------------------------------------------------------------------------------------------------- Help and API Documentation Clicking on "Help" provides access to: Offline Help : A repository of guides and documents ( though these aren’t always up-to-date) . Customer Portal : The go-to for creating support tickets and accessing the most current documentation. API Documentation : A treasure trove for automation enthusiasts. SentinelOne’s API allows you to: Manage endpoints (e.g., quarantining devices). Perform threat analysis and hunting. Automate workflows like isolating infected endpoints or running scans. Integrate with SIEMs and IT management platforms using RESTful APIs. If you’re technically inclined, this is worth exploring. APIs are like the glue that can bind your security operations together. ------------------------------------------------------------------------------------------------------------- MITRE Framework Integration Next up is the MITRE Framework  integration. SentinelOne maps detected threats to MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures). For each detection, you’ll see indicators and detailed insights, making it easier to understand the attack and respond effectively. ------------------------------------------------------------------------------------------------------------- Understanding User Details, Time Settings, and Enhanced Deep Visibility in SentinelOne User Account Overview At the far right of the black navigation strip, you’ll find your user account details . This section includes the following: Account Information :Displays your account name and the access level granted to you within SentinelOne (e.g., Administrator, Viewer). Logout Option :A simple way to log out of your SentinelOne console for security purposes. Click the option labeled "Logout" (and yes, it does what it says!). Customizing Time Settings You can configure the time settings of your SentinelOne console to suit your preferences.Options include: Local Browser Time : Matches the console’s time display to your local browser's time zone. UTC : Displays all timestamps in Coordinated Universal Time for standardization across global operations. Changing Themes The SentinelOne console allows you to switch between themes for better usability: Light Mode : A brighter interface suited for well-lit environments. Dark Mode : A dimmed interface for better visibility in low-light environments, reducing strain on your eyes. Deep Visibility: From Legacy (S1QL) to Enhanced (S2QL) SentinelOne’s Deep Visibility  feature empowers you with advanced threat-hunting capabilities. Initially based on S1QL , the platform has evolved to use the enhanced S2QL  query language, which offers better efficiency and usability. S1QL (Legacy) : The older query system, which some users may still find familiar and easier to navigate. S2QL (Enhanced) : A modernized, streamlined query language for more powerful and intuitive threat hunting. You can choose which query system to use based on your comfort level and needs. Later articles I will cover both the Legacy Console with Enhanced Deep Visibility , making it easier to understand the transition to the newer system. Singularity Operations Center (SOC) At the time of this blog’s creation, SentinelOne provides an option to toggle between the Legacy Console  and the updated Singularity Operations Center . Why Choose Legacy Console First? I will starts with the Legacy Console  setup to help you understand foundational concepts. Once that’s clear, we’ll explore the updated console for advanced operations. The choice of console is yours, but this approach ensures an incremental and thorough learning experience. ------------------------------------------------------------------------------------------------------------- Left-Hand Navigation We’ve explored the top black strip. In the next installment/articles, we’ll dive into the left-hand navigation bar , breaking down each section: for now check the screenshot below as welll as few main things) Dashboard : Get a bird’s-eye view of your organization’s security posture. Threats : Investigate and manage detected threats. Activity : Monitor endpoint activity. Policies : Create and manage security policies. Reports : Generate detailed insights for compliance and review. ------------------------------------------------------------------------------------------------------------- In the upcoming sections, we’ll dive into SentinelOne interface and explore its functionalities in detail. Stay tuned! Akash Patel

Hello, friends and fellow cyber enthusiasts! Over the years, I’ve had the privilege of working with a wide range of cybersecurity tools , but one has stood out to me in a unique way: SentinelOne . This tool is like a dependable companion in the often chaotic landscape of cybersecurity. I’ve worked with it for over two years, so I thought it was time to share an in-depth guide and my honest experiences navigating SentinelOne. This article series will walk you through SentinelOne’s features , its strengths and limitations , and how you can use it not just for endpoint detection and response (EDR) but also as a forensic tool. What You Should Know Before We Dive In Before we start, here are some important things to keep in mind: Features Depend on Your Subscription: SentinelOne offers a range of features, but your access depends on your subscription tier . Some advanced functionalities, like XDR capabilities or custom integrations, may not be available unless you’re on a premium plan. And yes, it can get little expensive (but not expensive like Microsoft security tools:). The SentinelOne Community is Your Best Friend: Whenever you face an issue or need guidance, check out the SentinelOne Community . It’s frequently updated, and you’ll find detailed articles, troubleshooting guides, and much more. Outstanding Support : Need help? Just create a ticket. My experience with SentinelOne’s support team has been excellent. Responses usually arrive within a day, often with detailed explanations or solutions. Constant Evolution : SentinelOne evolves rapidly. Features and UI elements change frequently, so if you notice anything new, test it out and let me know—I’d love to add it to this series! Why SentinelOne Stands Out For me, SentinelOne is one of the best tools on the market , and here’s why: AI-Powered Threat Detection : SentinelOne doesn’t rely on just one detection engine; it employs multiple engines powered by AI and behavioral analysis . This ensures that even if one engine misses something, others might catch it (to prevent from Zero day attacks) . Custom Rules for Proactive Defense : Don’t rely solely on AI. Use S entinelOne’s STAR custom rules  to proactively hunt threats . This feature allows you to tailor the detection logic to your unique environment. Ease of Use : S entinelOne’s user interface is intuitive and clean , making it easy to navigate and manage. I’ve worked with other tools like CrowdStrike and Carbon Black, and while they are powerful, their navigation can be cumbersome in comparison. XDR Vision (But Not Fully There Yet) : SentinelOne is transitioning toward being a complete Extended Detection and Response (XDR)  solution. While it’s not quite as comprehensive as CrowdStrike in this area yet, I believe it’s only a matter of time before they catch up. A Quick Overview of SentinelOne Let’s start with the basics. SentinelOne defines itself as: “Redefining cybersecurity by pushing the boundaries of autonomous technology.” But what does that mean for you? Core Features: Singularity™ XDR Platform : A unified solution for prevention, detection, response, and threat hunting. It extends protection across endpoints, cloud workloads, IoT devices, and containers. Best-in-Class Technology : SentinelOne provides unparalleled visibility, enterprise-grade automation, and rich AI models that autonomously protect against threats in real-time. Storyline™ : One of the standout features, Storyline™, creates a visual timeline of events. It connects benign and malicious activities, offering context in one view—a game-changer for analysts. Distributed AI: Every endpoint becomes a fortress with on-device AI capable of detecting and responding to threats, even when offline. What to Expect in This Series This series will be a journey. Here’s what I plan to cover: How to Navigate SentinelOne : A step-by-step guide to the interface , including tips and tricks for better management. Using SentinelOne for Forensics : Can you use SentinelOne as a forensic tool? Spoiler: Yes, but with some caveats. We’ll dive into that. SentinelOne vs. Other EDR Tools : I’ll share my comparisons with tools like CrowdStrike and Carbon Black, focusing on usability, detection accuracy, and overall performance. Advanced Features and Customization : From creating STAR rules to leveraging Storyline™ , we’ll explore how to maximize SentinelOne’s capabilities . XDR Capabilities : What does SentinelOne offer today, and where does it need improvement? My Honest Opinion (So Far) SentinelOne isn’t perfect—no tool is. It has its limitations, especially when compared to competitors like CrowdStrike in specific areas like XDR . However, its strengths, especially in AI-driven detection and user experience, make it a standout choice. If there’s one piece of advice I’d give to new users, it’s this: Don’t rely entirely on AI. Use custom rules to augment your defenses. Stay tuned as we embark on this detailed journey. Whether you’re an experienced user or new to the tool, I hope this series helps you understand SentinelOne better—and perhaps even fall in love with it, like I did. So you ready for this journey lets start, check out next article, Until than stay safe keep learning Akash Patel

Adversary emulation is a proactive cybersecurity approach where security experts simulate the tactics, techniques, and procedures (TTPs) of adversaries. This method provides an opportunity to assess and improve an organization's defense mechanisms, ensuring resilience against real-world cyber threats. --------------------------------------------------------------------------------------------------------- What is Adversary Emulation? Adversary emulation involves mimicking the behavior and strategies of cyber attackers. Unlike traditional penetration testing or vulnerability scans, adversary emulation focuses on TTPs, making it more aligned with real-world attack scenarios. Red Teaming : Focuses on simulating attackers to test an organization’s defenses. Purple Teaming : Bridges the gap between offense and defense, enabling collaboration between Red and Blue Teams to optimize detection and response capabilities. --------------------------------------------------------------------------------------------------------- Why TTPs are Crucial Tactics, Techniques, and Procedures (TTPs) represent the building blocks of adversarial operations. Tactics : The overarching goals of an adversary (e.g., Initial Access). Techniques : Specific methods to achieve those goals (e.g., Spear Phishing). Procedures : Detailed steps to implement techniques. TTPs provide higher-level insights compared to Indicators of Compromise (IOCs), making them indispensable for structured adversary emulation. --------------------------------------------------------------------------------------------------------- Frameworks for Adversary Emulation Adversary emulation must be structured and systematic. Popular frameworks include: MITRE ATT&CK : A comprehensive repository of TTPs categorized by adversary behavior. Kill Chains : Models like the Unified Kill Chain and Lockheed Martin Cyber Kill Chain provide structured approaches for emulating attacks. --------------------------------------------------------------------------------------------------------- Tools for Adversary Emulation Red Team-Focused Tools Metasploit : A leading exploitation framework, offering standardized exploit development and usage. Use Case : Exploiting vulnerabilities in test environments to simulate attacks. Empire : A post-exploitation tool supporting both Windows and Linux. Use Case : Simulating persistent threats and lateral movement. --------------------------------------------------------------------------------------------------------- Advanced Tools for Adversary Emulation and Purple Teaming 1. Atomic Red Team Developed By : Red Canary Purpose : To enable q uick, simple, and effective tests of security controls by executing adversary techniques mapped to MITRE ATT&CK. Key Features : Ease of Use : Run atomic tests in under five minutes. Comprehensive Mapping : Aligns with MITRE ATT&CK techniques. Empowers Blue Teams : Helps teams identify detection gaps and understand their blind spots. Applications : Test specific technical controls. Understand detection capabilities and gaps. Keep up with evolving adversary techniques. References : Atomic Red Team GitHub Official Website --------------------------------------------------------------------------------------------------------- 2. PurpleSharp Developed By : Mauricio Velazco Purpose : To simulate adversary techniques in Windows Active Directory environments for detection and response evaluation. Key Features : Supports 47 ATT&CK techniques. Realistic simulation by using actual user credentials. Playbook chaining to replicate multi-stage attacks. Applications : Build and refine detection analytics. Validate visibility and detection resiliency. Identify event logging pipeline issues. References : PurpleSharp GitHub Official Documentation --------------------------------------------------------------------------------------------------------- 3. MITRE CALDERA Developed By : MITRE Purpose : To e mulate post-compromise adversarial behavior dynamically within enterprise networks. Key Features : Automated adversary emulation. Uses ATT&CK techniques and dynamic planning systems. Deploys custom backdoors for realistic attack simulations. Applications : Generate real-world data for training and analytics. Test defenses and refine behavioral intrusion detection. Identify intrinsic security dependencies in networks. References : CALDERA GitHub --------------------------------------------------------------------------------------------------------- 4. APT Simulator Developed By : Florian Roth, Nextron Systems Purpose : A lightweight, script-based tool for simulating endpoint compromise . Key Features : Simple setup with no need for additional infrastructure. Focuses on endpoint detection and response testing. Ideal for DFIR labs and training environments. Applications : Test EDR tools and monitoring capabilities. Evaluate security team response to simulated compromises. Reference : APT Simulator GitHub --------------------------------------------------------------------------------------------------------- 5. Network Flight Simulator (flightsim) Developed By : AlphaSOC Purpose : Simulates malicious network traffic for network-level detection testing. Key Features : Generates DNS tunneling, DGA, Tor, and other suspicious traffic. Evaluates security controls and network visibility. Applications : Assess network monitoring and detection tools. Simulate malicious traffic patterns to identify blind spots. Reference : flightsim GitHub --------------------------------------------------------------------------------------------------------- 6. VECTR™ Developed By : Security Risk Advisors Purpose : Tracks Red and Blue Team activities for measurement and improvement of detection capabilities. Key Features : Logs attack vectors and progress. Facilitates collaboration between Red and Blue Teams. Ideal for tracking Purple Team activities . Applications : Measure prevention and detection performance. Plan and refine detection capabilities collaboratively. Reference : VECTR™ Official Site --------------------------------------------------------------------------------------------------------- Choosing the Right Tool Tool Focus Best For Atomic Red Team Endpoint controls Quick, atomic security tests. PurpleSharp Active Directory Simulating realistic Windows-based attacks. CALDERA Post-compromise behavior Advanced dynamic emulation and analytics. APT Simulator Endpoint compromise Simple, lightweight simulations. flightsim Network-level simulation Evaluating network detection capabilities. VECTR Tracking collaboration Managing and improving Purple Team operations. ------------------------------------------------------------------------------------------------------------- Conclusion Adversary emulation tools bring diverse capabilities to simulate attacks realistically and test defenses effectively. By leveraging these tools, organizations can improve their detection, prevention, and response strategies, ensuring resilience against evolving cyber threats. Akash Patel

Espionage, the art of covert information gathering, is an ancient practice that has evolved with each generation. The core drivers of espionage stem from various motives, including national interests, corporate competition, and technological advancements. Here’s a closer look at why espionage is so persistent across different domains and how it has adapted to the digital age. 1. Nation-State Espionage Nation-states engage in espionage to gain strategic advantages in military and political arenas. National intelligence agencies like the CIA (U.S.) and the former KGB (Soviet Union) serve as prime examples of state-sponsored espionage. These agencies aim to collect sensitive information about other countries to improve national security, economic strength, and influence in global negotiations. For example, knowing the negotiation strategies or weaknesses of an adversary can significantly influence outcomes, whether in trade, diplomacy, or even military strategy. Cyber-espionage has become a key component, as demonstrated by groups like Sandstorm , which have targeted critical infrastructure in adversarial nations, including the Ukrainian power grid in 2015. 2. Industrial Espionage Corporate espionage, or industrial spying, involves companies spying on one another to gain competitive advantages . Research and development ( R&D) is costly, time-intensive, and uncertain, yet essential for innovation . Some corporations, unwilling to bear these costs, opt to obtain proprietary information or trade secrets from competitors . While this is illegal in most countries, the financial gain can outweigh the legal risks , prompting corporations to factor in potential fines or penalties as a cost of doing business. High-profile cases like China’s involvement in corporate espionage against American tech firms exemplify how these operations are conducted on a global scale, often to advance a country's economic goals alongside those of specific corporations. 3. Technology and Cyber Espionage Modern espionage is tightly interwoven with technological advancements . As technology becomes more embedded in society, espionage actors have adapted, employing cutting-edge tools to exploit digital vulnerabilities . Cyber-espionage tools such as malware, social engineering, and zero-day exploits enable spies to access sensitive data remotely. Advanced Persistent Threat (APT) groups, often linked to nation-states, have increasingly used sophisticated malware to infiltrate government and corporate networks, targeting sensitive data stored on digital devices. Case Study: Turla (Uroburos/Snake) The Turla cyber-espionage campaign exemplifies the complexity of modern espionage operations. Known for its advanced malware toolkit, Turla has targeted Western government and military networks since at least 2008 . Security researchers have linked Turla to Russia, with early instances of its malware (Agent.BTZ) surfacing during an attack on the U.S. Department of Defense in 2008. Notable characteristics of the Turla group’s approach include: Innovative Persistence Techniques:  Turla utilizes techniques like COM object hijackin g to maintain l ong-term access within compromised systems. Sophisticated Command and Control (C2) Strategies :  Turla has adopted unique C2 techniques, such as using satellite-based communication to mask C2 servers , steganography to embed commands in images on social media, and custom backdoors in popular platforms like Outlook and Exchange . Social Engineering and Limited Zero-Day Use :  Turla typically relies on social engineering tactics like phishing emails and watering hole attacks for initial access rather than frequent use of zero-day exploits. Turla’s Advanced Espionage Techniques: A Closer Look Turla, an APT group believed to be linked to Russian intelligence, is known for its complex and persistent cyber-espionage campaigns. The group has carried out a range of sophisticated techniques to maintain stealth, evade detection, and establish reliable communication channels with infected devices. Here are some of their hallmark methods. 1. COM Object Hijacking for Persistence COM ( Component Object Model) hijacking is one of Turla’s primary techniques for maintaining persistence. This Windows-based tactic allows Turla to load malicious code by exploiting the COM objects that manage communication between Windows applications. By hijacking these objects, T urla can run payloads within trusted processes , such as explorer.exe or svchost.exe, making detection more challenging for security tools that often look for obvious code injection attempts. Two commonly used methods in COM hijacking include: Phantom COM Objects : Turla places references in the registry for COM objects that don’t have a corresponding file. When a process tries to access these phantom objects, the Turla malware creates the necessary files to initiate malicious behavior. COM Search Order Hijacking : Turla hijacks the search order of COM objects in the registry , prioritizing user-specific objects (under HKCU) over system-wide objects (HKLM) . This allows them to override trusted system objects with user-specific (and therefore malicious) versions. Source : Cyberbit 2. Satellite Connectivity for C2 Evasion Turla’s use of satellite connections as a command-and-control (C2) mechanism is particularly notable. By leveraging satellite internet, Turla makes it extremely difficult for law enforcement or security researchers to track the actual C2 server location . Here’s how the satellite C2 works: The infected machine connects to an IP using satellite internet. The satellite broadcasts this request across its entire coverage area, which is ignored by legitimate users. The C2 server, situated within the satellite’s coverage, intercepts the request and responds through a conventional internet connection. This setup obscures the C2 server’s true location since it can be anywhere within the satellite’s broadcast range. The wide coverage area, along with the network behavior of satellite systems, makes it nearly impossible to pinpoint the adversary’s location. Source : SecureList 3. Steganography on Social Media for C2 In a creative twist, Turla has used steganography within social media to send C2 commands . One campaign involved embedding commands within comments on Instagram posts , specifically on popular accounts like Britney Spears ’. Turla encodes URLs within these comments by using non-printable characters (such as the Zero Width Joiner, \200d ) to avoid detection. The malware scans the comments, and if a specific hash matches, it decodes the message and follows the URL for additional commands or payloads. This approach allows Turla to use public platforms for covert communication, bypassing conventional C2 detection methods by security software. The wide reach and popularity of platforms like Instagram also add a layer of anonymity, as commands can be posted from virtually any account, and the messages look like typical comments. Source : SecureList The Turla APT group, known for its sophisticated cyber-espionage tactics, expanded its toolset in 2018 and 2019 with specialized backdoors targeting Microsoft Outlook and Exchange . These campaigns reveal Turla’s focus on exploiting widely used email infrastructures to establish command and control (C2) channels, achieve persistence, and conduct covert operations. 1. Outlook Backdoor (2018) The Outlook backdoor relies on Microsoft Outlook for persistence and C2. Key features include: Command Execution and File Transfer : The backdoor supports stealth command execution and file upload/download, making it a versatile C2 channel and exfiltration method. Steganography in PDFs : Commands and data are hidden within images in PDFs, allowing Turla to transmit information undetected within normal email communication . COM Object Hijacking : Turla uses COM object hijacking to achieve persistenc e, exploiting Windows’ trusted mechanisms to remain unnoticed. T argeting Eastern Europe : The backdoor was designed to infect Outlook and "The Bat!" —a popular Eastern European email client , suggesting a geographic focus in its deployment. Source : ESET's detailed analysis 2. Exchange Backdoor (2019) The following year, Turla extended its approach to target Microsoft Exchang e servers with a backdoor that: Code Execution and Email Manipulation : Turla could execute commands, intercept, alter, and delete emails directly on the server without reaching the end-user, making it a stealthier attack method than the Outlook backdoor. Steganography in Images and PDFs : Similar to the Outlook backdoor, commands and exfiltrated data were hidden within image files embedded in PDF attachments. Installation via DLL and PowerShell : The backdoor involved installing a malicious DLL as a Transport Agent using PowerShell (Install-TransportAgent and Enable-TransportAgent cmdlets ), embedding itself deeply within the Exchange infrastructure. Custom Rule Files : Turla utilized rule files with specific conditions for each email action, such as blocking, redirecting, or altering messages, enabling them to trigger actions based on precise sender-recipient pairs. The Exchange backdoor is particularly stealthy since it operates entirely within the Exchange server environment , intercepting emails before they reach the inbox, which reduces the likelihood of detection by end-users. Source : ESET's detailed report on the LightNeuron backdoor Attribution Challenges and Resources Attribution in cyber-espionage cases like Turla’s is difficult due to technical similarities across campaigns, reuse of tactics like COM object hijacking, and cross-border IP obfuscation. Several open-source resources provide extensive details on threat actor groups: ThaiCERT’s Threat Actor Encyclopedia : A detailed resource with profiles on APT groups worldwide, continuously updated with contributions from cybersecurity researchers. Florian Roth’s APT Groups and Operations Sheet : A Google Sheet offering a high-level overview of APT groups, correlating various naming conventions used across organizations. MITRE ATT&CK Groups : This database maps known APT groups to specific techniques within the MITRE ATT&CK framework, helping security teams identify TTPs associated with different actors. For a closer look, consult resources like ThaiCERT’s Threat Actor Encyclopedia  and MITRE ATT&CK Groups . https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit?pli=1&gid=1864660085#gid=1864660085 Conclusion: The Turla campaigns underscore the sophistication and persistence required to counter modern cyber-espionage threats. By using legitimate systems like Outlook and Exchange to disguise command-and-control activities, Turla showcases the evolving landscape of stealth tactics in state-sponsored cyber operations. Their approach demonstrates the critical need for vigilance and innovation in cybersecurity, as adversaries continually adapt, reusing effective methods and targeting widely used systems to ensure their persistence and impact. Akash Patel

The 2016 Bangladesh Bank Heist  stands out as a significant digital theft where hackers exploited the SWIFT financial messaging system to orchestrate a massive theft from Bangladesh Bank’s account at the Federal Reserve Bank of New York. Attack Summary Intrusion Method : The attackers, possibly with insider assistance, used Dridex malware  to infiltrate the Bangladesh Bank's systems. This allowed them to monitor internal processes, especially around international transactions and payment operations. Reconnaissance and Preparation : To gather intelligence, they installed Sysmon   on systems connected to the SWIFT network, which helped them map out SWIFT’s operational patterns and employee interactions with SWIFT software. Fraudulent Transactions : Using manipulated PRT files  and Printer Command Language , the attackers initiated 35 fraudulent SWIFT messages, attempting to transfer $951 million. Thirty transactions were flagged and blocked by the New York Fed, but five transactions were processed, leading to a $101 million loss for Bangladesh Bank: $20 million  transferred to Sri Lanka  (recovered due to a typographical error). $81 million  routed to the Philippines , where $18 million was later recovered. Final Losses : After partial recovery, B angladesh Bank faced a $63 million loss . Much of this was swiftly laundered through casinos in the Philippines. Understanding SWIFT's Role in International Transactions The SWIFT network facilitates secure financial messaging between banks globally. To grasp the heist's complexity, understanding the VOSTRO/NOSTRO  account setup is essential. Here's a simplified example to illustrate how SWIFT functions in an international transfer scenario: Initiation : The buyer's bank (Bangladesh Bank) receives a request to transfer a large amount, e.g., $10 million. Intermediary Use : Due to high international transfer amounts and limited access to foreign markets, the transaction involves an intermediary bank. NOSTRO  and VOSTRO  are accounting terms used in this setup, where Bangladesh Bank maintains a VOSTRO account with the NY Fed. Transaction Flow : Bangladesh Bank instructs the NY Fed to debit its VOSTRO account and transfer the amount to the seller’s bank. Transaction Completion : The NY Fed deducts the amount from the VOSTRO account and completes the transfer to the recipient bank. Bangladesh Bank’s SWIFT Technical Architecture The bank’s SWIFT setup involved four main components, interconnected via a VPN: Core Bank IT Systems : Handle regular banking transactions. SWIFT Messaging Bridge : Generates SWIFT messages for transactions. SWIFT Gateway : Ensures secure connectivity between banks via SWIFT protocols. Confirmation Printer : Provides a physical record of transaction confirmations for verification. Attack Execution on SWIFT Systems Malware Deployment : Attackers installed malware on servers running SWIFT Alliance software , responsible for SWIFT message handling and validation. DLL Manipulation : The malware checked active Windows processes for liboradb.dll , a crucial SWIFT component, and patched it in memory to bypass transaction validations by altering the code (JNZ instruction). Message Injection : With the patched DLL, attackers could inject unauthorized SWIFT messages into the network without triggering file integrity or signature checks, making the fake transactions appear legitimate. The Bangladesh Bank Heist: The Intrusion During the attack, the adversaries compromised systems running the SWIFT messaging bridge software, allowing them to inject fraudulent SWIFT messages. Notably, the bank’s internal IT systems were unaware of this intrusion, as the fraudulent transactions were directly injected into the SWIFT network. The Bangladesh Bank Heist: Zooming in on the Malware The malware specifically targeted the Bangladesh Bank’s servers running the SWIFT Alliance software, which manages SWIFT message transactions. The software performs complex validation checks, which the malware altered to bypass these checks. When executed on the server, the malware scanned all running processes and modules on the Windows OS, searching for the liboradb.dll file . This DLL, a part of the SWIFT Alliance software, handles: Reading the Alliance database path from the registry Starting the database Performing backup and restore functions for the database In processes loading liboradb.dll, the malware altered the DLL in memory by replacing a specific JNZ instruction with two NOP instructions. This bypass caused SWIFT’s validation checks to always succeed, allowing counterfeit transactions to be approved. The in-memory patching allowed the attackers to avoid detection from integrity checks or digital signature validations on SWIFT’s software files. With this modification, counterfeit SWIFT messages could be injected directly into the database. The Bangladesh Bank Heist: Zooming in on the Malware Original Code Manipulated Dll To ensure this function always returns success, the jnz instruction was removed. Instead of deleting the bytes, the malware authors replaced them with NOP (No Operation) instructions, preserving code structure and bypassing the jump condition. This technique is common in machine code patching. The Bangladesh Bank Heist: The Intrusion The malware also intercepted SWIFT gateway confirmations, preventing them from being printed. However, when the confirmation printer malfunctioned , it failed to print any transactions, which raised suspicion . Once it was operational, the backlog—including the injected transactions—was printed. Despite this misstep, the attackers managed to process some transactions successfully due to careful planning. The Bangladesh Bank Heist: The Fraud Flow The attackers initially injected 35 transactions totaling $951M. Of these, 30 transactions were blocked due to the keyword “Jupiter” in the bank address, flagged by the NY Fed due to an unrelated sanction hit. Five transactions, totaling $101M, were processed by the NY Fed. Four of these succeeded and were directed to three pre-established accounts at the Rizal Commercial Banking Corporation (RCBC) in the Philippines. One transaction was blocked due to a typo ("Shalika foundation" vs. "Shalika fandation"), prompting Deutsche Bank to request verification from Bangladesh Bank. The successful $81M transferred to RCBC was further funneled to casino accounts, where it was withdrawn and laundered. The Bangladesh Bank Heist: Key Takeaways The Bangladesh Bank heist serves as a critical example of vulnerabilities in financial institutions and the sophisticated tactics employed by attackers. Here are some essential insights from the incident: Cybersecurity Posture : The Bangladesh Bank’s cybersecurity framework was alarmingly inadequate, particularly for a financial institution. Lacking network segmentation and relying on low-cost, secondhand infrastructure made it easier for attackers to infiltrate. SWIFT Vulnerabilities : Although SWIFT is known for its secure environment, this heist revealed that its s ecurity is only as strong as its weakest link. The attack exploited the bank’s infrastructure without directly targeting SWIFT itself. This incident motivated SWIFT to launch its Customer Security Program (CSP) to enhance the security of institutions within its network. Meticulous Planning : The heist was strategically timed, taking advantage of bank holidays and off-hours when responses would be delayed . This planning allowed the attackers to avoid immediate detection. Extended Network Access : Attackers had been lurking within Bangladesh Bank’s network for a significant period before executing their plan. This prolonged access likely hindered the ability to identify the initial breach point, highlighting the need for improved network monitoring that could have detected the intrusion sooner. Cyber Crime: Notable Ransomware Families The evolution of ransomware has resulted in the emergence of numerous families, each with unique tactics and impact. Here are some significant ransomware variants: Locky : Highly versatile, Locky can spread through exploit kits or traditional phishing emails, making it widely adaptable and popular. Cerber : Known for its multifaceted approach, Cerber not only encrypts files but can also launch DDoS attacks against its victims. Jigsaw : Inspired by the "Saw" movie series, Jigsaw both encrypts and exfiltrates data, increasing pressure on victims to pay the ransom. Crysis & LeChiffre : Both leverage brute-force attacks against RDP to infiltrate systems, avoiding traditional phishing methods. Goldeneye, Petya, & HDDCryptor : These ransomware variants don’t just encrypt files; when run with admin rights, they encrypt entire hard drives, even overwriting the Master Boot Record. Popcorn Time : This variant introduces a “social” twist, offering victims the decryption key for free if they successfully infect others. WannaCry (Wcry) : Famous for its May 2017 attack, WannaCry exploited an SMB vulnerability (leaked by ShadowBrokers) to spread across networks, impacting several large organizations. NotPetya : Rising to prominence in June 2017, NotPetya combined SMB exploits with credential-stealing tools like Mimikatz, followed by lateral movement techniques like PsExec/WMIC. Many believe its true aim was widespread disruption rather than ransom collection. GandCrab : Launched in January 2018, GandCrab popularized the Ransomware-as-a-Service (RaaS) model, enabling less skilled cybercriminals to deploy ransomware. Its creators announced the end of operations on May 31, 2019. Ryuk : Primarily targeting large organizations, Ryuk ransomware operators aim to control entire networks and coordinate a wide distribution of the malware, hoping for substantial ransom payouts. Maze : Known for data theft, Maze often enters systems via phishing and post-compromise utility execution. Before encryption, it exfiltrates data, threatening public exposure if the victim refuses to pay. If you want to learn about bank heist: Do check link below https://www.niceideas.ch/roller2/badtrash/entry/deciphering-the-bengladesh-bank-heist Conclusion: The Bangladesh Bank heist and the evolution of ransomware attacks provide crucial lessons for organizations, particularly in the financial and critical infrastructure sectors. The Bangladesh Bank incident highlighted how vulnerabilities in basic cybersecurity practices—such as poor network segmentation, outdated infrastructure, and lack of proactive monitoring—can expose even the most secure systems, like SWIFT, to indirect threats. This event spurred initiatives like the SWIFT Customer Security Program (CSP), underscoring that security must be holistic, addressing even the weakest links. Akash Patel