Florian Roth, Head of Research at Nextron Systems in Germany, received a series of alerts on Nov. 6 that had all the telltale signs of a potentially serious security breach.
PowerShell, a popular scripting language used by system administrators to automate tasks in managing operating systems, was being leveraged in a way that is commonly used by malicious actors.
“This must be a threat or a penetration,” Roth wrote in a Twitter post that quickly went viral:
But as soon as Roth finished writing that sentence, he let the Twitterverse in on a dirty little secret. Was the rogue PowerShell script a threat or a penetration test? “Nope - just a leading EDR that runs it and may use it to … well, I have no idea and think they should rewrite their crap.”
The “leading EDR” in question turns out to be SentinelOne and if the responses to Roth’s Twitter post are any indication, the problem seems to be widespread:
.png?width=648&name=Screenshot%202021-11-08%20at%2015-09-24%20picketfence%20on%20Twitter%20(1).png)
“Had a customer freak out about this recently as well,” wrote @pchobbit, a Cisco Talos Incident Response global leader.
“We all have,” responded @notnotaspy, Founder, CEO, and CTO of @fieldeffectsoft.
In this case, SentinelOne is using an approach that belongs more in the toolkit of an attacker than an enterprise security vendor. When SentinelOne customers are forced to ignore this type of activity to avoid the false positives generated by their EDR solution, they invite attacks by actual malicious actors using this approach.
SentinelOne’s sensors force their customers to configure their systems to ignore this type of behavior, inviting attackers to use this technique against them. Well-designed EDR platforms are supposed to help analysts focus on the things that matter most by eliminating false positives. The architecture of SentinelOne’s sensor technology, however, abuses PowerShell and often results in:
Cybereason’s sensor is built to exceed industry standards and, as a result, experiences no negative interactions with other tools on the endpoint or in the environment. Not only is the Cybereason sensor architected to ensure the greatest system stability, but it also offers the most comprehensive prevention and the highest fidelity detections for attacks from any vector, including PowerShell.
Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason EDR, why defenders choose Cybereason over SentinelOne, and how your organization can benefit from an operation-centric approach to security.
Cybereason is dedicated to partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides predictive prevention, detection and response that is undefeated against modern ransomware and advanced attack techniques. The Cybereason MalOp™ instantly delivers context-rich attack intelligence across every affected device, user and system with unparalleled speed and accuracy. Cybereason turns threat data into actionable decisions at the speed of business.
All Posts by Cybereason Team
Every organization needs to defend effectively against the growing threat of ransomware, so it's important to have the right tools. Cybereason is undefeated against ransomware and beats SentinelOne...
Crowdstrike and SentinelOne platforms are forced to filter out critical event telemetry--and while they try to pawn off this deficit as a "feature" by calling it Smart Filtering, eliminating critical telemetry undermines their ability to detect complex RansomOps attacks at the earliest stages...
