Capture Client - Remote Shell functionality (through SentinelOne)
In the light of recent supply-chain attacks, a question came up while working in the SentinelOne (native) console.
The SentinelOne Engine that comes with the CaptureClient seems to be a Control SKU (Core, Control, Complete) considering the provided functionality (Device Control, App Vulerability).
This SKU comes with a function called Remote Shell, which can be enabled on Policy level in the SentinelOne Management, which only SonicWall have access to. Therefore as CC user we don't have any control over it if it got enabled by accident or intentional.
The tricky part with Remote Shell is, that the Administrator on the SentinelOne Management can initiate direct shell access to the Endpoint, without requesting any consent. This is great for threat hunting, but raises some data privacy questions, IMHO.
What measures does SonicWall took to avoid abuse of this?
This affects SentinelOne (native) and other RMMs as well and is the topic a discussion I'am having with S1 right now.
Is it just me (as usual) or are others concered as well?