AI-Generated SentinelOne DNS Query for WRECKSTEEL Detection

Posted on

How It Works

Uncoder AI streamlines threat detection in SentinelOne by automatically transforming raw intelligence into executable event queries. In this case, it focuses on WRECKSTEEL (CERT-UA#14283), a PowerShell-based stealer campaign, by parsing dozens of malicious indicators — including over 30 domains and download URLs — and converting them into a single EventQuery targeting DNS lookups within the SentinelOne console.

The AI analyzes threat infrastructure and pivots on indicators frequently used for payload delivery and command-and-control (C2) communications.

Explore Uncoder AI

Query Breakdown: SentinelOne DNS IOC Coverage

DNS in contains anycase ("звернення.zip", "mfashara.com", "eschool-ua.online"

"www.eschool-ua.online", "dropmefiles.cc", "iocreest.tech"

"rrrt.website", "api.ipify.org", "drive.google.com"

"workai.work", "dropmefiles.top")

  • Query Type:
     DNS enrichment filter based on known C2 domains and cloud delivery services.
  • Matching Method:
     Uses the contains anycase operator to detect DNS resolutions regardless of capitalization.
  • Threat Infrastructure Mapped:
     Domains observed in command-line execution, PowerShell cradles, and droppers like script.ps1 and AppFinalDesktop.vbs.

Campaign Context:
 Includes common malware-hosting domains (dropmefiles.cc, drive.google.com) and campaign-specific pivots like eschool-ua.online and mfashara.com.

Why It’s Innovative

SentinelOne’s native query language typically requires manual formatting and enrichment of domain-based IOCs — an error-prone and slow process during active incident response. Uncoder AI automates:

  • Extraction and normalization of domains from structured reports
  • Language-aware query construction (e.g., contains anycase to prevent casing mismatches)
  • Deconfliction of duplicate or redundant entries

By directly supporting the SentinelOne query model, Uncoder AI turns passive DNS IOCs into an immediately deployable detection filter.

Operational Value

For SOC teams using SentinelOne:

  • Rapid IOC Coverage
     Instantly deploy DNS-based threat indicators without manual list parsing or rule authoring.
  • Intelligence-to-Detection Bridge
     Shift from threat reports (PDFs, CSVs) to live detection queries with zero manual translation.
  • Improved Detection Fidelity
     Catch stealthy payload stages leveraging legitimate file-sharing or staging infrastructure (e.g., Google Drive, api.ipify.org).

This empowers teams to harden endpoint telemetry against known infrastructure used in campaigns like WRECKSTEEL — with zero overhead.

Explore Uncoder AI

The post AI-Generated SentinelOne DNS Query for WRECKSTEEL Detection appeared first on SOC Prime.

Related Posts