Releases: LasCC/SentinelOne-Userscript
v2026.04.17-b840584
feat: expand ClickFix detection with 2024-2026 variants (FileFix, WebDAV, DNS, finger, wmic, conhost, App-V)
v2026.04.17-2e3f903
feat: add RedSun Windows Defender 0-day (CVE-2026-33825) detection rule
Static analysis of Nightmare-Eclipse/RedSun.cpp PoC identified these IOCs:
- working dir %TEMP%\RS-{GUID} (hardcoded prefix + CoCreateGuid)
- named pipe \pipe\REDSUN (CreateNamedPipe + GetNamedPipeServerSessionId)
- payload filename TieringEngineService.exe impersonating the real MS svc
- reparse mount point to ??\C:\Windows\System32 from user-writable dir
- Cloud Files provider "SERIOUSLYMSFT" (CfRegisterSyncRoot)
- Storage Tiers DCOM CLSID {50d185b9-fff3-4656-92c7-e4018da4361d}
- stdout markers "The red sun shall prevail", "The sun is shinning"
The rule fires on the exploit primitive (MsMpEng.exe writing
TieringEngineService.exe), pre-staging (TEMP drops), post-exploitation
(System32\TieringEngineService.exe spawning conhost.exe), and on any
indicator metadata surfacing the PoC-specific strings. Servicing paths
(WinSxS, SoftwareDistribution, DriverStore, Defender quarantine/platform)
excluded to avoid FP on legitimate MS updates.
v2026.04.17-22a68a5
feat: add ClickFix TTP (Verbose) as separate rule, restore original Clickfix TTP detected
v2026.04.02-cb48e92
fix: use correct endpoint.os value "osx" for macOS queries
v2026.04.02-bf42012
feat: add macOS LOOBins detection query (16 high-confidence patterns across 13 binaries)
v2026.03.28-68c4537
fix: drop ambiguous option chars (dashes) from ArgFuscator detection to reduce FPs
v2026.03.28-4e9db7c
feat: add Ligolo-ng and Ligolo-IWA browser pivot detection query
v2026.03.27-f6b07cd
fix: add ClickFix alias evasion detection and rework Storyline ID helper aggregation
v2026.03.27-f4109c5
fix: comprehensive ArgFuscator detection covering all 5 obfuscation families
v2026.03.27-bc62d87
fix: rework indicator.metadata/description aggregation for readability and accuracy