Has something changed with the Desktop Central Agent Service regarding patch mgmt? Our SentinelOne EDR is triggered by some updates
Anyone have this sort of trouble? Some windows updates or others are triggering our SentinelOne EDR software. Sometimes the Threat files are any of these, listed with the "Detecting Engine":
| Threat Details | Detecting Engine |
| 5beceb.rbf | ['On-Write Static AI - Suspicious'] |
| 5becec.rbf | ['On-Write Static AI - Suspicious'] |
| dcconfig.exe | ['Behavioral AI'] |
| 487612df.rbf | ['Behavioral AI'] |
| selfserviceexe.exe | ['Behavioral AI'] |
| dcagentservice.exe | ['Behavioral AI'] |
Trying to figure out what to change.
To add more insight to this. Here is what SentinelOne (S1) is saying about these updates:
Every arm of the update/interaction has a multitude of flags being thrown.
Here are some of the detected MTRE listings that S1 is seeing occur:
[links removed]
Infostealer
- Identified read action of sensitive information from LSASS
- MITRE : Credential Access [T1003.001][T1555.004]
- MITRE : Initial Access [T1078]
- MITRE : Defense Evasion [T1078]
- MITRE : Persistence [T1078]
- MITRE : Privilege Escalation [T1078]
- Attempts to read sensitive information from LSASS
- MITRE : Credential Access [T1003.001][T1555.004]
- MITRE : Initial Access [T1078]
- MITRE : Defense Evasion [T1078]
- MITRE : Persistence [T1078]
- MITRE : Privilege Escalation [T1078]
- Blocked read access to LSASS
- MITRE : Credential Access [T1003.001]
- MITRE : Initial Access [T1078]
- MITRE : Defense Evasion [T1078]
- MITRE : Persistence [T1078]
- MITRE : Privilege Escalation [T1078]
Evasion
- Process executed with PE file embedded in recource
- MITRE : Command and Control [T1132]
- MITRE : Defense Evasion [T1027][T1480.001]
- Suspicious registry key was created
- MITRE : Defense Evasion [T1112][T1027][T1564.005][T1480.001]
- Process executed with non-standard resource type
- MITRE : Command and Control [T1132]
- MITRE : Defense Evasion [T1027][T1480.001]
- An obfuscated Command Prompt command was detected
- MITRE : Defense Evasion [T1027][T1140][T1480.001]
- A new root certificate was added
- MITRE : Defense Evasion [T1553.004]
- The original filename is different from its actual name
- MITRE : Defense Evasion [T1036.003][T1036.005][T1574.008]
- MITRE : Persistence [T1574.008]
- MITRE : Privilege Escalation [T1574.008]
- Application attempted to tamper with SentinelOne registry keys
- MITRE : Defense Evasion [T1562.001]
- Indirect command was executed
- MITRE : Defense Evasion [T1218][T1202]
Packer
- Process suspicious as packed
- MITRE : Defense Evasion [T1027][T1480.001]
Malware
- Detected suspicious redirection of data from an interpreter with a hidden window
- MITRE : Defense Evasion [T1564.003]
- Detected suspicious redirection of data from a process with a hidden window
- MITRE : Defense Evasion [T1564.003]
- Detected a process that loaded DotNet libraries dynamically after startup
- Detected redirection of data from a process
Persistence
- Application registered itself to become persistent via service
- MITRE : Privilege Escalation [T1543.003][T1547.001]
- MITRE : Persistence [T1543.003][T1547.001][T1546][T1569.002]
- Application registered itself to become persistent via an autorun
- MITRE : Persistence [T1547.001][T1546]
- MITRE : Privilege Escalation [T1547.001]
Reconnaissance
- Machine information was gathered by LDAP query
- MITRE : Discovery [T1087][T1069][T1018]
- MITRE : Collection [T1119]
- MITRE : Defense Evasion [T1480.001]
Discovery
- Identified attempt to access a raw volume
- MITRE : Discovery [T1082]
General
- User logged on
- MITRE : Persistence [T1078][T1078.002]
- MITRE : Defense Evasion [T1078][T1078.002]
- MITRE : Privilege Escalation [T1078][T1078.002]
- MITRE : Initial Access [T1078][T1078.002]