https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/usercentric-exe-on-ms-teams/m-p/467366#M1579 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/210261">@PGP1234</a>&nbsp;The attack vector can be Teams, emails, or any other communication tool that is being used by a malicious actor to compromise an end-user. That is the first-stage dropper that is then used to gain persistence and/or perform malicious activities on the endpoint etc.&nbsp;</P><P>&nbsp;</P><P>How Cortex XDR detects this: behaviorial analysis. XDR will monitor all running processes and look at the actions being performed (registry entries, network activities, disk activities etc.) Take a look at this document, which explains the capabilities of Cortex XDR in detail:&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-concepts/about-cortex-xdr-protection.html" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-concepts/about-cortex-xdr-protection.html</A></P><P>&nbsp;</P><P>The payload can evolve over time, as can the second- or third-stage payloads. Blocking via hash is a tactical fix, and not to be confused with a strategic fix. The fix can be on multiple levels: firewalls, endpoints, permissions review, user awareness etc.</P> Tue, 22 Feb 2022 06:13:31 GMT bbarmanroy 2022-02-22T06:13:31Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/usercentric-exe-on-ms-teams/m-p/467337#M1575 <P>Hi,</P><P>&nbsp;</P><P>There are recent articles on MS Teams security incident. Attackers attach usercentric.exe files to Teams chats to install a Trojan on the end-user's computer. This Trojan is then used to install malware that self-administers the computer.</P><P>&nbsp;</P><P><STRONG>Does Cortex XDR detect this? </STRONG></P><UL><LI><STRONG>If yes, how? If not, what are the other mitigations we can do? </STRONG></LI></UL><P><STRONG>Are there particular hashes to be blocked?</STRONG></P><P>&nbsp;</P><P>Link:&nbsp;<A href="https://www.avanan.com/blog/hackers-attach-malicious-.exe-files-to-teams-conversations" target="_blank">https://www.avanan.com/blog/hackers-attach-malicious-.exe-files-to-teams-conversations</A></P> Tue, 22 Feb 2022 01:31:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/usercentric-exe-on-ms-teams/m-p/467337#M1575 PGP1234 2022-02-22T01:31:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/usercentric-exe-on-ms-teams/m-p/467366#M1579 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/210261">@PGP1234</a>&nbsp;The attack vector can be Teams, emails, or any other communication tool that is being used by a malicious actor to compromise an end-user. That is the first-stage dropper that is then used to gain persistence and/or perform malicious activities on the endpoint etc.&nbsp;</P><P>&nbsp;</P><P>How Cortex XDR detects this: behaviorial analysis. XDR will monitor all running processes and look at the actions being performed (registry entries, network activities, disk activities etc.) Take a look at this document, which explains the capabilities of Cortex XDR in detail:&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-concepts/about-cortex-xdr-protection.html" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-concepts/about-cortex-xdr-protection.html</A></P><P>&nbsp;</P><P>The payload can evolve over time, as can the second- or third-stage payloads. Blocking via hash is a tactical fix, and not to be confused with a strategic fix. The fix can be on multiple levels: firewalls, endpoints, permissions review, user awareness etc.</P> Tue, 22 Feb 2022 06:13:31 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/usercentric-exe-on-ms-teams/m-p/467366#M1579 bbarmanroy 2022-02-22T06:13:31Z