Comments

  • Sentinel One flagging scheduler and installer
    Thanks. I've whitelisted it. I'll submit to support. I think the difference with the newer version flagging it is SPN ticket requests are higher.

    Triggers are -

    Ransomware

    Deletes shadow copy
    MITRE : Impact [T1490]
    Evasion

    Non-powershell process loaded powershell module
    MITRE : Execution [T1059.001]
    A new root certificate was added
    MITRE : Defense Evasion [T1553.004]
    Indirect command was executed
    MITRE : Defense Evasion [T1218][T1202]
    Privilege Escalation

    Suspicious Kerberoasting attack. Too many SPN tickets requests
    MITRE : Credential Access [T1558.003]
    Persistence

    Application registered itself to become persistent via service
    MITRE : Privilege Escalation [T1543.003]
    MITRE : Persistence [T1543.003]