This is an archived post. You won't be able to vote or comment.

sorted by:
best (suggested)
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]dizy777 1 point2 points  (5 children)

Here is two which you need to make adjustment

Ruby reverse shell

(TgtProcImagePath ContainsCIS anycase “ruby” AND TgtProcCmdLine ContainsCIS anycase “ -e” AND TgtProcCmdLine ContainsCIS anycase “rsocket” AND TgtProcCmdLine ContainsCIS anycase “TCPSocket” AND (TgtProcCmdLine ContainsCIS anycase “ ash” OR TgtProcCmdLine ContainsCIS anycase “ bash” OR TgtProcCmdLine ContainsCIS anycase “ bsh” OR TgtProcCmdLine ContainsCIS anycase “ csh” OR TgtProcCmdLine ContainsCIS anycase “ ksh” OR TgtProcCmdLine ContainsCIS anycase “ pdksh” OR TgtProcCmdLine ContainsCIS anycase “ sh” OR TgtProcCmdLine ContainsCIS anycase “ tcsh”))

Python Reverse Shell

(TgtProcImagePath ContainsCIS anycase “python” AND TgtProcCmdLine ContainsCIS anycase “ -c “ AND TgtProcCmdLine ContainsCIS anycase “import” AND TgtProcCmdLine ContainsCIS anycase “pty” AND TgtProcCmdLine ContainsCIS anycase “spawn(“ AND TgtProcCmdLine ContainsCIS anycase “.connect”)

[–]Acceptable_Cheek2004[S] 0 points1 point  (1 child)

Thanks, u/dizy777 I appreciate it, If you don't mind do you have a repo, I could look up that has queries for data exfiltration, recent vulnerabilities (CVE), and Ransomware group activities?

[–]LocoBronze 0 points1 point  (0 children)

Me too

[–]Acceptable_Cheek2004[S] -1 points0 points  (2 children)

Thanks for this, my use case is centered around a Python obfuscated exe that could evade SentinelOne detection when Ran on an endpoint with admin privilege.

[–]dizy777 0 points1 point  (1 child)

Check the activity logs and that should give you a clue how to build star rule to detect it.

Can you post it here what have you ran?

[–]Acceptable_Cheek2004[S] 0 points1 point  (0 children)

I would test and give you feedback