https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/458898#M1448 <P>Dear Community,&nbsp;</P><P>&nbsp;</P><P>Here I have found a researcher which evaded Cortex XDR protection.</P><P>&nbsp;<A href="https://0xsp.com/security%20research%20&amp;%20development%20(SRD)/defeat-the-castle-bypass-av-advanced-xdr-solutions" target="_blank">https://0xsp.com/security%20research%20&amp;%20development%20(SRD)/defeat-the-castle-bypass-av-advanced-xdr-solutions</A></P><P>Are there any connections to researcher like the one in the link above to penetrate cortex xdr?&nbsp;</P><P>What can you say to the evasion technic frohe the researcher above? Will or is this allready fixed?&nbsp; &nbsp;</P><P>&nbsp;</P><P>From my PoC expirience we had 2 issues:&nbsp;</P><P>1. Incident triggered for some files on the disk, which still existed on the disk. I deleted them manualy. After this I tried to quarantaine or delete them through Cortex APP leaded into a BSOD on Win10.</P><P>2. We had installed the Agent on a terminal Server. Used an Java based program for several users which was missconfigured without any RAM restriction on the jvm (now on 512m). So the system went sometimes in struggle of free virtual RAM. In this Situation the agent was disabled by missing Ressourcen.&nbsp;</P><P>We struggled about 3 days, because Real RAM was enough, but jvm used the virtual RAM setting and this wasnt adjusted for non restricted jvm RAM setting.&nbsp;</P><P>&nbsp;</P><P>Best regards&nbsp;</P><P>&nbsp;</P><P>Rob</P><P>&nbsp; &nbsp; &nbsp; &nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 15 Jan 2022 13:01:18 GMT Cyber1985 2022-01-15T13:01:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/458898#M1448 <P>Dear Community,&nbsp;</P><P>&nbsp;</P><P>Here I have found a researcher which evaded Cortex XDR protection.</P><P>&nbsp;<A href="https://0xsp.com/security%20research%20&amp;%20development%20(SRD)/defeat-the-castle-bypass-av-advanced-xdr-solutions" target="_blank">https://0xsp.com/security%20research%20&amp;%20development%20(SRD)/defeat-the-castle-bypass-av-advanced-xdr-solutions</A></P><P>Are there any connections to researcher like the one in the link above to penetrate cortex xdr?&nbsp;</P><P>What can you say to the evasion technic frohe the researcher above? Will or is this allready fixed?&nbsp; &nbsp;</P><P>&nbsp;</P><P>From my PoC expirience we had 2 issues:&nbsp;</P><P>1. Incident triggered for some files on the disk, which still existed on the disk. I deleted them manualy. After this I tried to quarantaine or delete them through Cortex APP leaded into a BSOD on Win10.</P><P>2. We had installed the Agent on a terminal Server. Used an Java based program for several users which was missconfigured without any RAM restriction on the jvm (now on 512m). So the system went sometimes in struggle of free virtual RAM. In this Situation the agent was disabled by missing Ressourcen.&nbsp;</P><P>We struggled about 3 days, because Real RAM was enough, but jvm used the virtual RAM setting and this wasnt adjusted for non restricted jvm RAM setting.&nbsp;</P><P>&nbsp;</P><P>Best regards&nbsp;</P><P>&nbsp;</P><P>Rob</P><P>&nbsp; &nbsp; &nbsp; &nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 15 Jan 2022 13:01:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/458898#M1448 Cyber1985 2022-01-15T13:01:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/458997#M1453 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/206384">@Cyber1985</a>&nbsp;From the article, it appears that the bypass attempts were blocked, or am I reading it incorrectly?</P><P>&nbsp;</P><P>For your endpoint issues,<BR />for #1, are you able to reproduce the issue or is it a one-time incident? Does the BSOD happen every time you try to quarantine or delete a file?<BR />for #2, it is not clear from your explanation if the issue is related to Cortex XDR agent or the Java-based application. It might be an issue with the JVM's on the hosts and not Cortex XDR. If your issue persists, please create a support ticket at support.paloaltonetworls.com with agent logs for the corresponding teams to analyse the issues.</P><P>&nbsp;</P><P>Hope this helps!</P> Mon, 17 Jan 2022 04:41:37 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/458997#M1453 bbarmanroy 2022-01-17T04:41:37Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/459006#M1455 <P>Hey <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192661">@bbarmanroy</a>&nbsp;</P><P>Thanks for the fast reply!&nbsp;</P><P>&nbsp;</P><P>As I understood the final showdown can bee seen in the last Video and the Text above.&nbsp;</P><P>#1 could be reproduced, but our PoC is over and there wasnt enough time to submit a Ticket.&nbsp;</P><P>&nbsp;</P><P>#2 You are right, the issue came from jvm. I Dont except a solution, i wanted to share my XP.&nbsp;</P><P>&nbsp;</P><P>Best Regards</P><P>&nbsp;</P><P>Rob&nbsp;</P><P>&nbsp;</P> Mon, 17 Jan 2022 06:25:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/459006#M1455 Cyber1985 2022-01-17T06:25:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/459019#M1456 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/206384">@Cyber1985</a>&nbsp;What I see in the last gif is the Cobalt Strike beacon being detected and a Cortex XDR agent popup that says "Cortex XDR agent has blocked a malicious activity!", which contradicts the text. It's a bit unclear here.</P><P>&nbsp;</P><P>Cortex XDR engineering teams continuously looks for evasion techniques and bakes appropriate detection and/or prevention techniques to mitigate such actions. My recommendation is to try to recreate the POC and if successful, reach out to your account teams who will guide you through the next steps.</P> Tue, 18 Jan 2022 05:59:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/459019#M1456 bbarmanroy 2022-01-18T05:59:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/461304#M1494 <P>hello!&nbsp;</P><P>The correction of the above mentioned evation technique was allredy fixed I was told by the researcher himself.&nbsp;</P><P>For issue#1: yes, everytime I tried to delete or quarantined a not existing file I got an BSOD.&nbsp;</P><P>Issue#2: yes indeed, the root of the problem was caused by not well configured JVMs.</P><P>&nbsp;</P><P>Best Regards&nbsp;</P><P>&nbsp;</P><P>Rob</P><P>&nbsp;</P><P>&nbsp; &nbsp;</P> Thu, 27 Jan 2022 06:36:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/461304#M1494 Cyber1985 2022-01-27T06:36:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/461383#M1500 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/206384">@Cyber1985</a>&nbsp;Thank you for reaching out and confirming the point on XDR capabilities.</P><P>&nbsp;</P><P>For your case where the endpoint is experiencing a BSOD for triggering a File Search and Destroy for files that are deleted or quarantined, I recommend you to open a support ticket and upload the support file for the affected endpoint. Please ensure your endpoint is running a supported version of Cortex XDR and has not reached <A href="https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary" target="_self">End-of-life</A>.</P> Thu, 27 Jan 2022 13:06:20 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/461383#M1500 bbarmanroy 2022-01-27T13:06:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/461393#M1501 <P>what agent version and what content version was this performed with?</P> Thu, 27 Jan 2022 13:29:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/461393#M1501 P.Jacob 2022-01-27T13:29:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/461723#M1508 <P>It was around Version&nbsp;7.4.2.3569.&nbsp;</P><P>We are out of PoC. So we cannot open any support case.&nbsp;</P> Fri, 28 Jan 2022 07:19:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/researcher-for-evading-cortex-xdr-amp-my-poc-xp/m-p/461723#M1508 Cyber1985 2022-01-28T07:19:30Z