SentinelOne Threat Hunting Series P2: Must-Have Custom Detection Rules

In this article, we continue exploring the power of SentinelOne’s custom detection rules to enhance control over your environment's security. These rules allow you to define specific conditions for detecting and responding to potential threats, giving you the flexibility to act beyond built-in detections.

11. Mimikatz (Reg Add with Process Name)

• Rule:

tgt.process.name == "powershell.exe" AND 

(registry.keyPath == "SYSTEM\\CurrentControlSet\\Services\\mimidrv" OR 

tgt.process.cmdline contains:anycase("MISC::AddSid", "LSADUMP::DCShadow", 

"SEKURLSA::Pth", "CRYPTO::Extract")) AND 

(file.name in:anycase("vaultcli.dll", "samlib.dll", "kirbi"))

• Description: Detects malicious registry modifications associated with Mimikatz. The rule identifies suspicious PowerShell activity and DLL manipulations indicative of credential dumping or lateral movement.

12. MimikatzV (Behavior-Based)

• Rule:

event.type == "Behavioral Indicators" AND 

indicator.name in:matchcase("Mimikatz", "PrivateKeysStealAttemptWithMimikatz") OR 

(event.type == "File Creation" AND 

tgt.file.path matches(".*\\mimikatz.*", ".*\\sekurlsa.*", ".*\\mimidrv.*", 

".*\\mimilib.*")) OR 

(event.type == "Threat Intelligence Indicators" AND 

tiIndicator.malwareNames contains:anycase("Mimikatz"))

• Description: A behavior-based rule for detecting Mimikatz activity by monitoring file creation, threat intelligence indicators, and behavioral signs linked to credential theft.

13. Disable Veeam Backup ServicesV2

• Rule:

tgt.process.cmdline contains:anycase("net.exe stop veeamdeploysvc", 

"vssadmin.exe Delete Shadows", "vssadmin.exe delete Shadows /All /Quiet", 

"wmic shadowcopy delete")

• Description: Flags attempts to disable Veeam Backup services, commonly used by attackers to disrupt data recovery processes during ransomware campaigns.

14. Mimikatz Executables

• Rule:

tgt.file.path contains:anycase("mimikatz.exe", "mimikatz", "mimilove.exe", 

"mimilove", "mimidrv.sys", "mimidrv", "mimilib.dll", "mimilib", "mk.7z")

• Description: Detects the presence of Mimikatz executables or libraries, identifying potential tool deployment for credential harvesting.

15. Rclone (You can other tool like mega.io or Filezilla as well)

• Rule:

src.process.name in:matchcase("rclone.exe", "rclone.org", "Rclone.exe") AND 

event.dns.request == "rclone.org" OR 

tgt.process.cmdline contains:anycase("rclone") OR 

src.process.displayName contains:anycase("rclone") OR 

src.process.cmdline contains:anycase("rclone")

• Description: Monitors activity related to Rclone, a legitimate tool often abused for exfiltrating data to cloud storage services.

16. NTDSUtil

• Rule:

event.type == "Process Creation" AND 

((tgt.process.cmdline contains:anycase("copy ") AND 

(tgt.process.cmdline contains:anycase("\\Windows\\NTDS\\NTDS.dit") OR 

tgt.process.cmdline contains:anycase("\\Windows\\System32\\config\\SYSTEM "))) OR 

(tgt.process.cmdline contains:anycase("save") AND 

tgt.process.cmdline contains:anycase("HKLM\\SYSTEM "))) OR 

(tgt.process.name == "ntdsutil.exe" AND 

tgt.process.cmdline contains:anycase("ac i ntds")) OR 

(tgt.process.name == "mklink.exe" AND 

tgt.process.cmdline contains:anycase("HarddiskVolumeShadowCopy"))) AND 

!(src.process.cmdline contains:anycase("Get-psSDP.ps1")) OR 

(src.process.cmdline contains:anycase("ntdsutil") AND 

src.process.cmdline contains:anycase("ifm")) OR 

(tgt.process.cmdline contains:anycase("ntdsutil") AND 

tgt.process.cmdline contains:anycase("ifm"))

• Description: Targets suspicious usage of NTDSUtil to access Active Directory databases and other sensitive registry keys, a technique used in domain compromises.

17. CURL Connecting to IPs

• Rule:

src.process.cmdline contains:matchcase("curl.exe") AND 

event.network.direction == "OUTGOING" AND 

dst.ip.address matches("^((?!10\\.).)*$") AND 

dst.ip.address matches("^((?!172\\.1[6-9]\\.).)*$") AND 

dst.ip.address matches("^((?!172\\.2[0-9]\\.).)*$") AND 

dst.ip.address matches("^((?!172\\.3[0-1]\\.).)*$")

• Description: Detects CURL network connections to non-local IP addresses, helping to identify potential data exfiltration attempts.

18. Admin$hare Activity (Cobalt Strike - Service Install Admin Share)

• Rule:

src.process.cmdline contains:matchcase("\\127.0.0.1\\ADMIN$") AND 

src.process.cmdline contains:matchcase("cmd.exe /Q /c")

• Description: Identifies suspicious activity targeting the ADMIN$ share, often used by tools like Cobalt Strike for lateral movement.

19. RDP Detection (Any Port)

• Rule:

event.type == "IP Connect" AND 

event.network.direction == "INCOMING" AND 

src.process.cmdline contains:anycase("-k NetworkService -s TermService") AND 

src.ip.address matches("\\b(?!10|192\\.168|172\\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") AND 

src.ip.address != "127.0.0.1"

• Description: Monitors incoming RDP connections, highlighting unusual or unauthorized attempts to access the environment.

20. RDP Detection (Port 3389)

• Rule:

dst.port.number == 3389 AND 

event.network.direction == "INCOMING" AND 

src.ip.address matches("\\b(?!10|192\\.168|172\\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") AND 

src.ip.address != "127.0.0.1"

• Description: Focused detection of RDP activity on the standard port 3389, which is commonly targeted in brute-force attacks.