SentinelOne and OpenVPN connect
Posted: Fri Jan 14, 2022 9:27 pm
Does anyone here use SentinelOne for their AV/EDR solution? We are having an issue where SentinelOne is detecting OpenVPN Connect as a threat and killing it. The odd thing is that it's after a few days of usage and not immediate. I can whitelist it, but I am just wondering if anyone else had this experience and any more information on why this may be.
I'm pasting the threat indicators below, which sound scary but could also just be what the OpenVPN software does:
Evasion
Internal process resource was manipulated in memory
MITRE : Defense Evasion
Indirect command was executed
MITRE : Defense Evasion [T1218][T1202]
Code injection to other process memory space during the target process' initialization
MITRE : Defense Evasion [T1055.012]
MITRE : Privilege Escalation [T1055.012]
Exploitation
Shellcode execution was detected
MITRE : Execution [T1106][T1059]
General
Process started from shortcut file
MITRE : Execution [T1204]
I'm pasting the threat indicators below, which sound scary but could also just be what the OpenVPN software does:
Evasion
Internal process resource was manipulated in memory
MITRE : Defense Evasion
Indirect command was executed
MITRE : Defense Evasion [T1218][T1202]
Code injection to other process memory space during the target process' initialization
MITRE : Defense Evasion [T1055.012]
MITRE : Privilege Escalation [T1055.012]
Exploitation
Shellcode execution was detected
MITRE : Execution [T1106][T1059]
General
Process started from shortcut file
MITRE : Execution [T1204]
