This is just a list of unofficial SentinelOne resources, anything that helps with administration, deployment, automation, or queries.
keyboardcrunch keyboardcrunch
keyboardcrunch
/ pop_vmware_host_modules.sh
Created
September 22, 2022 20:53
Fix VMware Workstation on PopOS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| VMWARE_VERSION="workstation-$(vmware -v|grep -oE "[[:digit:]]+.[[:digit:]]+.[[:digit:]]+"| head -n1)" # this is detect the version you have VMware Workstation 16.2.1 build-18811642 | |
| TMP_FOLDER=/tmp/patch-vmware | |
| rm -fdr $TMP_FOLDER | |
| mkdir -p $TMP_FOLDER | |
| cd $TMP_FOLDER | |
| git clone https://github.com/mkubecek/vmware-host-modules.git | |
| cd $TMP_FOLDER/vmware-host-modules |
keyboardcrunch
/ netclient2hosts.py
Last active
February 6, 2022 01:33
helper script for netmaker, to inject netmaker peers into /etc/hosts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| ''' | |
| script to merge netmaker clients from all bound networks into the | |
| local system's hosts file. | |
| ''' | |
| import subprocess | |
| import json | |
| HOST_FILE = '/etc/hosts' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.yaml | |
| https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.yaml | |
| https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.yaml | |
| https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.yaml | |
| https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml | |
| https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.yaml | |
| https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.yaml | |
| https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.yaml | |
| https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.yaml | |
| https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml |
from pyattck import Attck
attack = Attck()
for technique in attack.enterprise.techniques:
print("# " + technique.name)
for subtechnique in technique.subtechniques:
if "Linux" in subtechnique.platforms:
print("## " + subtechnique.id + " " + subtechnique.name)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sha256 In ("2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd", "47DDED0EFC230C3536F4DB1E2E476AFD3EDA8D8EA0537DB69D432322CDBAC9CA") OR IP In ("95.213.165.20", "159.148.186.228", "194.76.225.46", "185.158.250.216", "45.11.180.153", "194.76.225.61") OR DnsRequest In ("minexmr.com", "citationsherbe.at") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Search Engine | Keyword | URL Query | Data Type | |
|---|---|---|---|---|
| VT Search by Hash | vthash | https://www.virustotal.com/gui/file/%s/detection | Any file hash | |
| VT Search by Domain | vtdomain | https://www.virustotal.com/gui/domain/%s/details | Domain Names | |
| VT Search by IP | vtip | https://www.virustotal.com/gui/ip-address/%s/relations | IP Addresses | |
| RiskIQ Query | riskiq | https://community.riskiq.com/search/%s | Any Domain or IP | |
| AlienVault | otx | https://otx.alienvault.com/browse/pulses?q=%s | Anything? | |
| AlienVault IP | otxip | https://otx.alienvault.com/indicator/ip/%s | IP Addresses | |
| AlienVault Domain | otxdomain | https://otx.alienvault.com/indicator/domain/%s | Domain | |
| IPINFO | ipinfo | https://ipinfo.io/%s | IP Addresses | |
| CRT.sh | crt | https://crt.sh/?q=%s | Domain, IP, Cert string or hash |
keyboardcrunch
/ s1_service_create.txt
Created
July 21, 2021 21:33
SentinelOne Service Create Detection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IndicatorName In ( "ServiceCreate" ) AND IndicatorMetadata RegExp "ServiceName: \"[a-zA-Z]{6,8}\"$" AND SrcProcName Not In ( "msiexec.exe" , "ccmsetup.exe" , "SetupRST.exe" , "Uninstap.exe" , "CcmEval.exe" , "TSManager.exe" , "CcmExec.exe" , "wuauclt.exe" ) AND IndicatorMetadata RegExp "^ServiceName: (\".*(?<!DeviceInstall|TrustedInstaller|Netlogon|wuauserv|ccmsetup|WManSvc|Winmgmt|CipcCdp|atashost|vpnagent|Dnscache|cplspcon|acnamfd|ancrcl|IISADMIN|gupdatem|gupdate|CcmExec)\")$" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SrcProcName ContainsCIS "rundll32.exe" and SrcProcCmdLine RegExp "(?i)(shell32.dll.*Control_RunDLL).*" AND SrcProcCmdLine RegExp "^(?!.*CCM\\SMSCFGRC.cpl|.*RunDLL timedate.cpl|.*mmsys.cpl|.*system32\\appwiz.cpl).*" AND TgtProcCmdLine RegExp "^(?!.*desk.cpl,ScreenSaver|.*launchalpsdelltouchpad|.*System32\\hdwwiz.cpl|.*ClearMyTracksByProcess).*" AND TgtProcName Not In ( "ieunatt.exe", "ieUnatt.exe", "MouseKeyboardCenter.exe", "mmc.exe", "Bubbles.scr", "SystemPropertiesComputerName.exe" ) |
keyboardcrunch
/ Kaseya_REvil_S1QL.md
Created
July 2, 2021 22:59
Kaseya REvil IOCs :: SentinelOne Queries
SrcProcPublisher ContainsCIS "PB03 TRANSPORT LTD" OR TgtFileSha256 In AnyCase ("d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e", "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd", "e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2") OR SrcProcCmdLine ContainsCIS "c:\kworking\agent.exe"
`DnsRequest RegExp "(?i)((dubnew|zewatchers|bouquet-de-roses|appsformacpc|friendsandbrgrs|thenewrejuveme|xn--singlebrsen-vergleich-nec|sabel-bf|seminoc|tastewilliamsburg|aselbermachen|creamery201|rerekatu|makeurvoiceheard|bradynursery|aarvorg|artige|highlinesouthasc|sofavietxinh|higadograsoweb|ruralarcoiris|harpershologram.wordpress|ohidesign|international-sound-awards|krlosdavid|durganews|coding-machine|caribbeansunpoker|mir-na-iznanku|promesapuertorico|grelot-home|id-vet|bricotienda|boldcitydowntown|homecomingstudio|sojamindbody|asgestion|danubecloud|no-plans|schoolofpassivewealth|lmtprovisions|talentw