The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  SentinelOne  > Carbanak+FIN7 Configuration


SentinelOne Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

Singularity Management Platform SaaS
Singularity agent for Windows Version 4.5
Singularity agent for Linux Version 4.4

Product Description

The SentinelOne Singularity™ Platform consolidates endpoint protection (EPP) and enterprise detection and response (EDR) into a single agent for Windows, Mac, Linux, and Kubernetes and supports end-user, server, and cloud-native workloads. Management is principally a cloud-delivered SaaS with global hosting region choice, but we also support hybrid-cloud and on-premise implementations. SentinelOne replaces or complements AV, adds EDR capability, and enables network visibility. Our EPP+EDR consolidation is highly uniform across OSes in order to create security operational consistency across compute types with an overall goal of lowering mean time to respond (MTTR) through automation.

Agents have several roles in the architecture including autonomously and automatically creating attribution context and cross-process event correlation in real time. This machine-built context, also known as Storyline™, is used for EPP purposes to identify and respond to malicious “stories” (attacks) at the moment they are detected. For EDR purposes, Storyline context is preserved on our platform for up to 365 days for fully customizable automated and ad hoc threat hunting across long time horizons and incident response operations. Agents will trigger appropriate responses within the device automatically or as commanded by the SOC. Via policy, customers can take advantage of either EPP or EDR modes or combine them into a consolidated EPP+EDR mode.

Storyline attribution mechanisms provide data enrichment beyond simple process tree tracking; SentinelOne differentiates by our ability to identify and handle key infiltration and attack techniques as defined by the MITRE ATT&CK® framework. In the case of Windows, the endpoint agent monitors, via kernel driver, user mode processes and their deep relationships including execution of APC to a remote process, RPC requests from a system process, and more, all of which are "re-attributed" to the original caller even across system reboots. Though Linux/Kubernetes agents operate in user space and Mac agents adhere to Apple’s “kextless” requirements (neither tainting the kernel), agents for these OSes accomplish much of the same “prevent-detect-respond” objectives as our Windows version. Our design enables Singularity agents to protect endpoints from malicious activity at any stage in an attack chain–from the successful exploit to the last payload operation. They detect threats both pre-execution using a machine-learning based file scanner and on-execution using unique behavioral AI engines. The EDR engine facilitates threat hunting and response investigation by collecting multiple OS events (process, file, network, user, DNS, registry, and more) with full context attribution. All of this machine-built metadata context is live streamed (or queued if offline) to the Singularity platform where it is evaluated in real time against customer-defined queries and SentinelOne-defined intelligence hunt packs. Agents offer various automated response actions to control emergent threats and recover systems back to a pre-infection state all without tedious custom scripting.

Product Configuration

SentinelOne Singularity platform configuration tested:

Detection Evaluation

Agent policy set to an alert-only mode for both malicious and suspicious threats, i.e. “Detect / Detect” mode. In this instance, the agent creates Storyline context but does not intervene with any type of automatic protective response and is a “pure EDR” mode. LSASS memory protection was disabled. during testing to allow a full testing flow per MITRE’s requirement.

Protection Evaluation

In contrast, the MITRE Protection testing was with agent policy set to a protection mode for both malicious and suspicious threats, i.e. “Protect / Protect” mode. In this instance, the agent creates Storyline context, evaluates each against static and behavioral AI engines, and intervenes with automatic protective response as judged appropriate.