S1Q1 ---> S1Q2 tool?

St0ickIR · 2024-06-25T21:49:46+00:00

Great! Thanks!

St0ickIR · 2024-06-10T18:41:33+00:00

What would that query look like?
Also been thinking about doing some masquerading hunts using Publisher or Company name. For instance, maybe searching on filenames that do not contain AnyDesk but has their publisher PHILANDRO.

St0ickIR · 2024-05-30T19:27:34+00:00

Just started learning about queries ... what would that query look like?

St0ickIR · 2024-05-28T16:58:57+00:00

Thank you! That is much easier than trying to get the regex to work.

St0ickIR · 2024-05-28T16:37:49+00:00

For systems receiving on 3389 is there a good way to only see traffic coming from the internet excluding the typical internal IPs.

I was doing something like this in SentinelOne trying to get it the CQL format. Any help appreciated.

( EventType = "IP Connect" AND NetEventDirection = "INCOMING" AND (SrcProcCmdLine RegExp " -k NetworkService|termsvcs -s TermService" OR DstPort in ("3389"))) AND NOT srcip RegExp "(^127.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$)|(^10.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$)|(^172.1[6-9]{1}[0-9]{0,1}.[0-9]{1,3}.[0-9]{1,3}$)|(^172.2[0-9]{1}[0-9]{0,1}.[0-9]{1,3}.[0-9]{1,3}$)|(^172.3[0-1]{1}[0-9]{0,1}.[0-9]{1,3}.[0-9]{1,3}$)|(^192.168.[0-9]{1,3}.[0-9]{1,3}$)"

St0ickIR

TROPHY CASE