
How It Works
Uncoder AI streamlines threat detection in SentinelOne by automatically transforming raw intelligence into executable event queries. In this case, it focuses on WRECKSTEEL (CERT-UA#14283), a PowerShell-based stealer campaign, by parsing dozens of malicious indicators — including over 30 domains and download URLs — and converting them into a single EventQuery targeting DNS lookups within the SentinelOne console.
The AI analyzes threat infrastructure and pivots on indicators frequently used for payload delivery and command-and-control (C2) communications.
Query Breakdown: SentinelOne DNS IOC Coverage
DNS in contains anycase ("звернення.zip"
, "mfashara.com"
, "eschool-ua.online"
,
"www.eschool-ua.online"
, "dropmefiles.cc"
, "iocreest.tech"
,
"rrrt.website"
, "api.ipify.org"
, "drive.google.com"
,
"workai.work"
, "dropmefiles.top"
)
- Query Type:
DNS enrichment filter based on known C2 domains and cloud delivery services. - Matching Method:
Uses thecontains anycase
operator to detect DNS resolutions regardless of capitalization. - Threat Infrastructure Mapped:
Domains observed in command-line execution, PowerShell cradles, and droppers likescript.ps1
andAppFinalDesktop.vbs
.
Campaign Context:
Includes common malware-hosting domains (dropmefiles.cc
, drive.google.com
) and campaign-specific pivots like eschool-ua.online
and mfashara.com
.
Why It’s Innovative
SentinelOne’s native query language typically requires manual formatting and enrichment of domain-based IOCs — an error-prone and slow process during active incident response. Uncoder AI automates:
- Extraction and normalization of domains from structured reports
- Language-aware query construction (e.g.,
contains anycase
to prevent casing mismatches) - Deconfliction of duplicate or redundant entries
By directly supporting the SentinelOne query model, Uncoder AI turns passive DNS IOCs into an immediately deployable detection filter.
Operational Value
For SOC teams using SentinelOne:
- Rapid IOC Coverage
Instantly deploy DNS-based threat indicators without manual list parsing or rule authoring. - Intelligence-to-Detection Bridge
Shift from threat reports (PDFs, CSVs) to live detection queries with zero manual translation. - Improved Detection Fidelity
Catch stealthy payload stages leveraging legitimate file-sharing or staging infrastructure (e.g., Google Drive, api.ipify.org).
This empowers teams to harden endpoint telemetry against known infrastructure used in campaigns like WRECKSTEEL — with zero overhead.
The post AI-Generated SentinelOne DNS Query for WRECKSTEEL Detection appeared first on SOC Prime.