Home  >  APT29  >  Results  >  SentinelOne  >  Configuration

SentinelOne Configuration

Product Versions

  • 3.5.2.76 (3.5 SP 2)

Description

SentinelOne is an autonomous endpoint protection platform and enterprise detection and response platform (EPP+EDR) delivered in a single agent. The agent's role is to protect the endpoint from malicious activity at any stage of the attack chain - from the successful exploit to the last payload operation. It can detect threats either pre-execution using a machine-learning based file scanner or on-execution using a unique behavioral engine with both predefined detection logics and a behavioral AI layer while also offering various response actions.

All detection engines are localized to the agent so there is no cloud reliance for determination of threat or automated response action. The AI detection engines are continuously trained. The agent monitors the endpoint via kernel driver, process injections for user mode monitoring (hooking, traps etc), this allows the Behavioral Engine to maintain context over dynamic operations that is not based on a simple process trees. Our "smart attribution" mechanism is able to truly attribute operations, to the point where every event coming from an injected code, execution of APC to a remote process, RPC requests from a system process (using COM objects, WMI etc) and much more are "re-attributed" to the original caller. This mechanism differentiates our ability to handle many types of execution manipulations commonly done by attackers. This visibility is applied in real time to the threat models which allows for conviction of a "story" as soon as it becomes malicious. The agent can detect malicious behavior and threats immediately, offering detection of key infiltration and attack events as defined by the MITRE ATT&CK framework.

Also integrated within the single agent is an endpoint detection and response engine (EDR) that facilitates threat hunting and response investigation by collecting many OS events (process, file, network, user) with full context attribution (same mechanism used in the detection engines). All of the data is streamed to a central database which is then made available for analyst queries. Response actions available within the SentinelOne platform include Kill, Quarantine, Network Isolation, one-click remediation, and a unique feature called Rollback. The solution offers protection, visibility, simplicity and automation for any business or governmental organization. We support Windows, Mac and Linux as well as virtualized technologies. Management can be cloud-delivered or on-premise. Lastly, SentinelOne can replace traditional AV or complement it by running concurrently.

Configuration

The SentinelOne platform tested during the MITRE testing was our default agent with a policy set to “detect / detect”. The test was performed with our LSASS protection disabled. No other custom configuration or changes were made for the first two days of testing.

SentinelOne has many configurable options in the product for sending additional data to our cloud. In the “configuration change” section on the 3rd day, SentinelOne used a couple of these options. An example is changing the cap on the number of characters stored for decoded/decrypted Powershell commands. These changes can be done via the customer with a simple support request. SentinelOne also leveraged their Vigilance MDR service for this test.