![]() Hunting: Beacon configuration parsing tool and related SentinelOneQL hunting queries. Other than that, the group relied solely on LOLBins and mostly fileless methods for local execution and lateral movement.ģ. Toolkit: The attackers used a CobaltStrike beacon with a then-unknown persistence method using DLL hijacking (detailed below). Progression: The attack propogated initially through the company’s VPN to an inner Windows server, and then on to the Domain Controller and afterward to servers containing the sought-after data.Ģ. In this post, we’ll describe the procedure of how we did that by using SentinelOne features as well as other tools and methods we developed along the way. We were contacted shortly after the malicious activity was discovered and asked to find the attackers’ persistence methods as well as to ensure full remediation. In light of the Coronavirus lockdowns and subsequent understaffing at many businesses, we were contacted by the customer to help investigate an intrusion that was discovered in their network by threat alerts in their SentinelOne Console. ![]() ![]() We recently investigated such a state-sponsored attack on a SentinelOne customer, one of the leaders in their field of business. Even in these uncertain times, state-sponsored groups continue their hacking attempts and we must stay vigilant at all times.
0 Comments
Leave a Reply. |