Please enable JavaScript.
Coggle requires JavaScript to display documents.
Sentinel One Malware Playbook (Start) - Coggle Diagram
Sentinel One Malware Playbook (Start)
Extract SHA1 hash from quarantined file/event.
(Add to case wall/insight in Siemplify and check in VT and MISP threat Intelligence feeds to verify if file has been sandboxed previously.)
Extract additional artifacts from the Threat Details tab in S1. (Endpoint Name, Originating Process, File Path, Cmd line Args, Detection Type.)
Create an additional Enrichment Insight for all Applications installed on infected device. (A lot of False Positives are from legitimate software updates that can be validated by checking if the device has that particular software installed).
Create Enrichment Insight with previous listed Threat Details.
If Indicators are present in S1, create Enrichment Insight including Indicator Details.
INDICATORS (2)
Process achieved persistency through launchd job
Process dropped a hidden suspicious plist to achieve persistency
Apply Proper policies and rules for which ever group policy the infected device falls under. i.e.(Kill, Quarantine, Remediate, and Rollback)
Auto-Check if File Hash has been seen before in SentinelOne tenant and verify policies, procedures, and/or determinations applied last time file hash was seen.
If file hash HAS been seen before and is not blacklisted and is determined to be a true positive, add playbook step asking analyst if blacklisting is necessary.
If file hash HAS NOT been seen before continue with triaging malware incident.
Enrichment Insights for pre-made queries depending on the type of malware, hash, storyline, etc.
Example Query for Static threats without a Storyline ID#
TgtFileSha1 = "ebfdaf754320cc78343c9d8bb603b56c5b22d3b4" AND EndpointName = "COS13847" AND EventType in ("Pre Execution Detection")
Example query for SHA or Target Process SHA
TgtFileSha1 = "ebfdaf754320cc78343c9d8bb603b56c5b22d3b4" OR TgtProcImageSha1 = "ebfdaf754320cc78343c9d8bb603b56c5b22d3b4"
Example Query for Storyline ID's
SrcProcStorylineId = "4A65A4B036BF557F" OR TgtProcStorylineId = "4A65A4B036BF557F"
Example Query to view 5 minutes before or after event.
In Deep Visibility Search for 'Custom Range' in the time field and apply the date and 5 minutes before and after the event time. Time's should appear in the following order:
First seen - Jun 22, 2022 14:40:02 AND Last seen - Jun 22, 2022 14:45:02 with additional query for that particular user or device.
Use this Query in conjunction with the 'Custom Range' filter to view all events on that device.
TgtProcUser contains "COS-AD\SYST001" AND EventType = "Process Creation"
Explaining the fetch command.
Navigate to the SentinelOne console and click on Sentinels tab in the left-hand side-bar.
Type in the name of the device and click on it in the drop down. Navigate to the Device Tab in the bottom right of the screen.
Click the purple 'Actions' tab in the Device Details. Scroll down to 'Response' and click on 'File Fetch'.
Copy file-path from the Command Line Arguments Enrichment Insight and paste that file-path into the text box.
IF file-path is unavailable from Enrichment, attempt to download the file via the Threat Details Tab in S1
The Threat Details tab can be accessed via the 'Actions tab in the Device Details. Scroll down to 'Shortcuts' and click on 'View Threats'
Once in the Threat Details tab you can find the 'Download Threat File' button underneath the 'Hunt Now' button in the center-top right of the page.
Set Password for file to 'Infected!1' and then navigate to the Activities tab in the left-hand side-bar. Once in the Activities tab search for the file that was fetched and download and sandbox the suspicious file.
After utilizing OSINT, Enrichment Insights, and searching in Deep Visibility for additional context, make a determination for quarantined file.
True Positive
Prepare detailed findings from Deep Visibility and formulate a structured timeline of events to present to the client via Zendesk ticket.
Automatically start a Full disk scan if True positive is determined.
Have T2 Analysts verify that full disk scan was successfully ran.
T2 determine if necessary to pull device off the network to prevent further infection and or intrusion.
Populate Zendesk ticket and submit for T2 review.
Assists the client in getting device back into operational state.
Review T1 ticket and add any additional findings relevant for the client.
Unwanted Program
Escalate to T2 queue for verification (Include any details found in triaging stage to validate claim.)
False Positive
Escalate to T2 queue for verification (Include any details found in triaging stage to validate claim.)
Unable to determine
Escalate to T2 queue for verification (Include any details found in triaging stage to validate claim.)
If time allows, have T2 analysts working the case sync up with T1 to go over any additional procedures that may have been overlooked or any intel that could better help the T1 better understand the case.
If file hash HAS been seen in the SentinelOne tenant before, pull details of the previous process command lines and create Entity Enrichment Insight containing ScrProcCmdline details from previous cases.
Pull any relevant details from MISP feeds and apply VT link to an Enrichment Insight in Siemplify.