Skip to content

Latest commit

 

History

History
19 lines (17 loc) · 43.8 KB

ds_sentinelone_singularity_platform.md

File metadata and controls

19 lines (17 loc) · 43.8 KB
Raw

Vendor: SentinelOne

Product: Singularity Platform

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
682 194 170 22 56
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access user-password-modify:success (account-password-change)
sentinelone-singularityp-json-user-password-modify-success-3711

user-password-reset:success (account-password-reset)
sentinelone-singularityp-json-user-password-reset-success-3710

scheduled_task-trigger:success (app-activity)
sentinelone-singularityp-kv-app-activity-success-malware
sentinelone-singularityp-json-scheduled_task-scheduledtask
sentinelone-singularityp-json-scheduled_task-scheduledtask
sentinelone-singularityp-json-scheduled_task-scheduledtask
sentinelone-singularityp-json-scheduled_task-scheduledtask
sentinelone-singularityp-json-app-activity-success-activitytype4008
sentinelone-singularityp-json-app-activity-success-activitytype2001
sentinelone-singularityp-json-app-activity-success-activitytype2004
sentinelone-singularityp-json-user-role-assign-success-37
sentinelone-singularityp-json-user-role-assign-success-23
sentinelone-singularityp-json-app-activity-success-30-catchall
sentinelone-singularityp-json-rule-create-success-3600

app-login:success (app-login)
sentinelone-singularityp-json-app-login-success-27

app-login:fail (failed-app-login)
sentinelone-singularityp-json-app-login-fail-133

endpoint-login:success (remote-logon)
sentinelone-singularityp-json-endpoint-login-success-logins
sentinelone-singularityp-json-endpoint-login-success-winlogonattempt

http-traffic:success (web-activity-allowed)
sentinelone-s-cef-http-session-success-visibility
sentinelone-s-cef-http-session-success-visibility-1
sentinelone-singularityp-kv-http-session-success-endpoint
sentinelone-singularityp-cef-alert-trigger-success-agentoperation
sentinelone-singularityp-json-alert-trigger-success-url-1
 T1021 - Remote Services
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
  • 41 Rules
  • 20 Models
Account Manipulation user-password-modify:success (account-password-change)
sentinelone-singularityp-json-user-password-modify-success-3711

user-password-reset:success (account-password-reset)
sentinelone-singularityp-json-user-password-reset-success-3710

scheduled_task-trigger:success (app-activity)
sentinelone-singularityp-kv-app-activity-success-malware
sentinelone-singularityp-json-scheduled_task-scheduledtask
sentinelone-singularityp-json-scheduled_task-scheduledtask
sentinelone-singularityp-json-scheduled_task-scheduledtask
sentinelone-singularityp-json-scheduled_task-scheduledtask
sentinelone-singularityp-json-app-activity-success-activitytype4008
sentinelone-singularityp-json-app-activity-success-activitytype2001
sentinelone-singularityp-json-app-activity-success-activitytype2004
sentinelone-singularityp-json-user-role-assign-success-37
sentinelone-singularityp-json-user-role-assign-success-23
sentinelone-singularityp-json-app-activity-success-30-catchall
sentinelone-singularityp-json-rule-create-success-3600

process-create:success (process-created)
sentinelone-singularityp-cef-process-create-success-visibility
sentinelone-singularityp-json-process-create-success-processcreation-2
sentinelone-singularityp-json-process-create-success-processcreation
sentinelone-singularityp-cef-process-create-success-processcreation
sentinelone-singularityp-cef-process-create-success-scheduledtask
sentinelone-singularityp-cef-process-create-success-process
sentinelone-singularityp-json-process-create-success-process
sentinelone-singularityp-json-process-create-success-process
sentinelone-singularityp-json-process-create-success-process
 T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021 - Remote Services
T1021.003 - T1021.003
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218 - Signed Binary Proxy Execution
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559 - Inter-Process Communication
T1559.002 - T1559.002
  • 17 Rules
  • 7 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Phishing

 Windows Management Instrumentation

Command and Scripting Interperter

Scheduled Task/Job

Inter-Process Communication

System Services

Exploitation for Client Execution

User Execution

Scheduled Task/Job: Scheduled Task

Command and Scripting Interperter: PowerShell

Scheduled Task/Job: At (Windows)

 Pre-OS Boot

Create Account

Create or Modify System Process

External Remote Services

Valid Accounts

Hijack Execution Flow

Server Software Component: Web Shell

Account Manipulation

BITS Jobs

Create or Modify System Process: Windows Service

Scheduled Task/Job

Server Software Component

Event Triggered Execution

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

 Access Token Manipulation: Token Impersonation/Theft

Create or Modify System Process

Valid Accounts

Access Token Manipulation

Exploitation for Privilege Escalation

Hijack Execution Flow

Group Policy Modification

Process Injection

Scheduled Task/Job

Abuse Elevation Control Mechanism

Event Triggered Execution

Boot or Logon Autostart Execution

Process Injection: Dynamic-link Library Injection

Abuse Elevation Control Mechanism: Bypass User Account Control

 Hide Artifacts

Indirect Command Execution

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Group Policy Modification

Trusted Developer Utilities Proxy Execution

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Hijack Execution Flow: DLL Side-Loading

Indicator Removal on Host: File Deletion

Masquerading

Valid Accounts

Modify Registry

BITS Jobs

Use Alternate Authentication Material

Hide Artifacts: NTFS File Attributes

Use Alternate Authentication Material: Pass the Hash

Indicator Removal on Host

Use Alternate Authentication Material: Pass the Ticket

Pre-OS Boot

File and Directory Permissions Modification

Deobfuscate/Decode Files or Information

Abuse Elevation Control Mechanism

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Access Token Manipulation

Hijack Execution Flow

Process Injection

Valid Accounts: Local Accounts

Signed Binary Proxy Execution: Msiexec

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Regsvcs/Regasm

Signed Binary Proxy Execution: CMSTP

Signed Binary Proxy Execution: Control Panel

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

Signed Binary Proxy Execution: Rundll32

 OS Credential Dumping

Unsecured Credentials

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

Network Sniffing

 Account Discovery

Domain Trust Discovery

System Service Discovery

System Network Connections Discovery

Account Discovery: Local Account

Account Discovery: Domain Account

File and Directory Discovery

Network Sniffing

System Information Discovery

Network Share Discovery

Query Registry

Process Discovery

System Owner/User Discovery

Software Discovery

Remote System Discovery

System Network Configuration Discovery

 Exploitation of Remote Services

Remote Service Session Hijacking

Remote Services

Remote Services: SMB/Windows Admin Shares

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

Internal Spearphishing

 Screen Capture

Email Collection

Audio Capture

Archive Collected Data

Email Collection: Email Forwarding Rule

 Web Service

Protocol Tunneling

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Remote Access Software

Dynamic Resolution

Ingress Tool Transfer

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over C2 Channel

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

 Account Access Removal

Data Destruction

Resource Hijacking

Data Encrypted for Impact

Inhibit System Recovery