SentinelOne Telemetry Update - BITS and Process Tampering Activities

[thiboog]

Pull Request Template

Description

Please provide the below information so we can validate before merging:

1. Does the proposed EDR feature align with our definition of telemetry?(definition here)
2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

1: Yes
2: No
3: Yes

Type of change

Please delete options that are not relevant.

• Feature Improvement (non-breaking change which fixes an issue)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

Test Configuration:

• Winfows Agent Version 24.1
• Operating System version: Windows 11

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my corrections or additions are accurate
• I have checked my code and corrected any misspellings

Don't stress yourself out, just answer the above to the best of your ability and we can discuss in the comments 🙂

---

Hi @tsale ,

Another update for SentinelOne EDR telemetry on Windows:

• Bits Jobs Activity - via EventLogs (see screenshot)

• Process Tampering - Yes (see screenshot)

On this one I would like to understand what is expected here as the MITRE mapping in the project reference many techniques under DS0009, are we talking about T1055 - Process Injection techniques mainly ?
SentinelOne have many native EDR telemetry indicators for that include : Process Injection, Preload Injection, Process Hollowing, Process Doppelgänging, Remote Injection, DLL Injection, VDSO Hijacking etc.