SentinelOne Breach Incident Score: Analysis & Impact (SEN1765296030)

In this Rankiteo incident briefing, we review the SentinelOne breach identified under incident ID SEN1765296030.

The analysis begins with a detailed overview of SentinelOne's information like the linkedin page: https://www.linkedin.com/company/sentinelone, the number of followers: 364683, the industry type: Computer and Network Security and the number of employees: 2929 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 740 and after the incident was 635 with a difference of -105 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on SentinelOne and their customers.

A newly reported cybersecurity incident, "Storm-0249 Abuses EDR Solutions for Stealthy Ransomware Attacks", has drawn attention.

An initial access broker tracked as Storm-0249 is abusing endpoint detection and response (EDR) solutions and trusted Microsoft Windows utilities to load malware, establish communication, and persistence in preparation for ransomware attacks.

Impact assessments are still underway, so the full scope is not yet clear.

Formal response steps have not been shared publicly yet.

The case underscores how teams are taking away lessons such as Abuse of trusted EDR processes can bypass traditional monitoring. Behavior-based detection and stricter controls for utilities like curl, PowerShell, and LoLBins are recommended, and recommending next steps like Implement behavior-based detection to identify trusted processes loading unsigned DLLs from non-standard paths and Set stricter controls for curl, PowerShell, and LoLBin execution.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with moderate to high confidence (80%), supported by evidence indicating clickFix social engineering, tricking users into executing curl commands. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with high confidence (90%), supported by evidence indicating users executed curl commands via Windows Run dialog to download MSI package and Command and Scripting Interpreter: PowerShell (T1059.001) with high confidence (90%), supported by evidence indicating powerShell script fetched from spoofed Microsoft domain, loaded into memory. Under the Persistence tactic, the analysis identified Hijack Execution Flow: DLL Side-Loading (T1574.002) with high confidence (95%), supported by evidence indicating dLL sideloading via SentinelAgentWorker.exe, survived OS updates. Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with high confidence (90%), supported by evidence indicating malicious DLL (SentinelAgentCore.dll) placed alongside legitimate EDR process, Signed Binary Proxy Execution: Msiexec (T1218.007) with moderate to high confidence (85%), supported by evidence indicating malicious MSI package executed with SYSTEM privileges, Process Injection: Portable Executable Injection (T1055.002) with moderate to high confidence (80%), supported by evidence indicating malicious code executed within signed, privileged EDR process, and Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (70%), supported by evidence indicating powerShell script loaded directly into memory to avoid disk-based detection. Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with high confidence (90%), supported by evidence indicating collected system identifiers (MachineGuid) via reg.exe, findstr.exe. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating encrypted HTTPS C2 traffic funneled through trusted EDR process. Under the Credential Access tactic, the analysis identified OS Credential Dumping: Security Account Manager (T1003.002) with moderate confidence (60%), supported by evidence indicating abuse of trusted EDR process may imply credential access (implied). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.