← Back to Explore
sigmamediumHunting
Potential SentinelOne Shell Context Menu Scan Command Tampering
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
Detection Query
selection:
TargetObject|contains: \shell\SentinelOneScan\command\
filter_main_sentinelone_default_scan_binary:
Details|startswith:
- C:\Program Files\SentinelOne\Sentinel Agent
- C:\Program Files (x86)\SentinelOne\Sentinel Agent
Details|contains: \SentinelScanFromContextMenu.exe
filter_main_sentinelone_binary:
Image|endswith:
- C:\Program Files\SentinelOne\
- C:\Program Files (x86)\SentinelOne\
condition: selection and not 1 of filter_main_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2024-03-06
Data Sources
windowsRegistry Set Events
Platforms
windows
Tags
attack.persistence
Raw Content
title: Potential SentinelOne Shell Context Menu Scan Command Tampering
id: 6c304b02-06e6-402d-8be4-d5833cdf8198
status: test
description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
references:
- https://mrd0x.com/sentinelone-persistence-via-menu-context/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-06
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\shell\SentinelOneScan\command\'
filter_main_sentinelone_default_scan_binary:
Details|startswith:
- 'C:\Program Files\SentinelOne\Sentinel Agent'
- 'C:\Program Files (x86)\SentinelOne\Sentinel Agent'
Details|contains: '\SentinelScanFromContextMenu.exe'
filter_main_sentinelone_binary:
Image|endswith:
- 'C:\Program Files\SentinelOne\'
- 'C:\Program Files (x86)\SentinelOne\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium